CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CVE-2024-32966 (GCVE-0-2024-32966)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:39 – Updated: 2024-08-02 02:27
VLAI
Title
Stored Cross-site Scripting in directory listings via file names in static-web-server
Summary
Static Web Server (SWS) is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like `<img src=x onerror=alert(1)>.txt` will allow JavaScript code execution in the context of the web server’s domain. SWS generally does not perform escaping of HTML entities on any values inserted in the directory listing. At the very least `file_name` and `current_path` could contain malicious data however. `file_uri` could also be malicious but the relevant scenarios seem to be all caught by hyper. For any web server that allow users to upload files or create directories under a name of their choosing this becomes a stored Cross-site Scripting vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/static-web-server/static-web-s… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| static-web-server | static-web-server |
Affected:
< 2.30.0
|
|
| static-web-server | static-web-server |
Affected:
0 , < 2.30.0
(custom)
cpe:2.3:a:static-web-server:static-web-server:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:static-web-server:static-web-server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"lessThan": "2.30.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32966",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T13:32:21.337221Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:23.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:52.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-rwfq-v4hq-h7fg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-rwfq-v4hq-h7fg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"status": "affected",
"version": "\u003c 2.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Static Web Server (SWS) is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like `\u003cimg src=x onerror=alert(1)\u003e.txt` will allow JavaScript code execution in the context of the web server\u2019s domain. SWS generally does not perform escaping of HTML entities on any values inserted in the directory listing. At the very least `file_name` and `current_path` could contain malicious data however. `file_uri` could also be malicious but the relevant scenarios seem to be all caught by hyper. For any web server that allow users to upload files or create directories under a name of their choosing this becomes a stored Cross-site Scripting vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T05:39:28.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-rwfq-v4hq-h7fg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-rwfq-v4hq-h7fg"
}
],
"source": {
"advisory": "GHSA-rwfq-v4hq-h7fg",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting in directory listings via file names in static-web-server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32966",
"datePublished": "2024-05-01T05:39:28.758Z",
"dateReserved": "2024-04-22T15:14:59.165Z",
"dateUpdated": "2024-08-02T02:27:52.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34070 (GCVE-0-2024-34070)
Vulnerability from cvelistv5 – Published: 2024-05-10 15:21 – Updated: 2024-08-02 02:42
VLAI
Title
Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise
Summary
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/a862307… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.9",
"status": "affected",
"version": "2.1.9*",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T20:22:17.320471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:49.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T15:21:37.883Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"source": {
"advisory": "GHSA-x525-54hf-xr53",
"discovery": "UNKNOWN"
},
"title": "Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34070",
"datePublished": "2024-05-10T15:21:37.883Z",
"dateReserved": "2024-04-30T06:56:33.381Z",
"dateUpdated": "2024-08-02T02:42:59.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34699 (GCVE-0-2024-34699)
Vulnerability from cvelistv5 – Published: 2024-05-13 19:01 – Updated: 2024-08-02 02:59
VLAI
Title
GZ::CTF allows unprivileged user can perform XSS attacks by constructing malicious team names.
Summary
GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/GZTimeWalker/GZCTF/security/ad… | x_refsource_CONFIRM |
| https://github.com/GZTimeWalker/GZCTF/commit/31e7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GZTimeWalker | GZCTF |
Affected:
< 0.20.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T20:24:35.156575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:46.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/GZTimeWalker/GZCTF/security/advisories/GHSA-p6rq-5x3x-rmhh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/GZTimeWalker/GZCTF/security/advisories/GHSA-p6rq-5x3x-rmhh"
},
{
"name": "https://github.com/GZTimeWalker/GZCTF/commit/31e775b65cddf82a567d68dcdc78c1739b746346",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/GZTimeWalker/GZCTF/commit/31e775b65cddf82a567d68dcdc78c1739b746346"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GZCTF",
"vendor": "GZTimeWalker",
"versions": [
{
"status": "affected",
"version": "\u003c 0.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T19:01:19.774Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/GZTimeWalker/GZCTF/security/advisories/GHSA-p6rq-5x3x-rmhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/GZTimeWalker/GZCTF/security/advisories/GHSA-p6rq-5x3x-rmhh"
},
{
"name": "https://github.com/GZTimeWalker/GZCTF/commit/31e775b65cddf82a567d68dcdc78c1739b746346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GZTimeWalker/GZCTF/commit/31e775b65cddf82a567d68dcdc78c1739b746346"
}
],
"source": {
"advisory": "GHSA-p6rq-5x3x-rmhh",
"discovery": "UNKNOWN"
},
"title": "GZ::CTF allows unprivileged user can perform XSS attacks by constructing malicious team names."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34699",
"datePublished": "2024-05-13T19:01:19.774Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2024-08-02T02:59:21.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35112 (GCVE-0-2024-35112)
Vulnerability from cvelistv5 – Published: 2025-01-25 13:31 – Updated: 2025-01-27 17:30
VLAI
Title
IBM Control Center cross-site scripting
Summary
IBM Control Center 6.2.1 and 6.3.1
could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7174794 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Control Center |
Affected:
6.2.1, 6.3.1
cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T17:30:02.880928Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T17:30:11.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Control Center",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "6.2.1, 6.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Control Center 6.2.1 and 6.3.1 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.\u003c/span\u003e"
}
],
"value": "IBM Control Center 6.2.1 and 6.3.1 \n\ncould allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T13:31:25.755Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7174794"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Control Center cross-site scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-35112",
"datePublished": "2025-01-25T13:31:25.755Z",
"dateReserved": "2024-05-09T16:27:02.677Z",
"dateUpdated": "2025-01-27T17:30:11.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35224 (GCVE-0-2024-35224)
Vulnerability from cvelistv5 – Published: 2024-05-23 12:53 – Updated: 2024-08-02 03:07
VLAI
Title
Stored Cross-Site Scripting (XSS) in OpenProject
Summary
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/opf/openproject/security/advis… | x_refsource_CONFIRM |
| https://community.openproject.org/projects/openpr… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opf | openproject |
Affected:
>= 13.4.0, < 13.4.2
Affected: < 14.1.0 Affected: >= 14.0.0, < 14.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T16:39:22.186123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:33:30.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc"
},
{
"name": "https://community.openproject.org/projects/openproject/work_packages/55198/relations",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openproject.org/projects/openproject/work_packages/55198/relations"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openproject",
"vendor": "opf",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.4.0, \u003c 13.4.2"
},
{
"status": "affected",
"version": "\u003c 14.1.0"
},
{
"status": "affected",
"version": "\u003e= 14.0.0, \u003c 14.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions \"Edit work packages\" as well as \"Add attachments\". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket\u0027s attachment, you can store javascript in the application itself and bypass the application\u0027s CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T12:53:04.336Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opf/openproject/security/advisories/GHSA-h26c-j8wg-frjc"
},
{
"name": "https://community.openproject.org/projects/openproject/work_packages/55198/relations",
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openproject.org/projects/openproject/work_packages/55198/relations"
}
],
"source": {
"advisory": "GHSA-h26c-j8wg-frjc",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (XSS) in OpenProject"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35224",
"datePublished": "2024-05-23T12:53:04.336Z",
"dateReserved": "2024-05-14T15:39:41.784Z",
"dateUpdated": "2024-08-02T03:07:46.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35680 (GCVE-0-2024-35680)
Vulnerability from cvelistv5 – Published: 2024-06-10 15:48 – Updated: 2026-04-28 16:09
VLAI
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.9.2 - Content Injection vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.9.2.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
| https://patchstack.com/database/vulnerability/yit… | vdb-entryx_transferred |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| YITHEMES | YITH WooCommerce Product Add-Ons |
Affected:
0 , ≤ 4.9.2
(custom)
|
|
| yithemes | yith_woocommerce_product_add-ons |
Affected:
0 , ≤ 4.9.2
(custom)
cpe:2.3:a:yithemes:yith_woocommerce_product_add-ons:*:*:*:*:*:wordpress:*:* |
Date Public
2026-04-01 16:25
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yithemes:yith_woocommerce_product_add-ons:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "yith_woocommerce_product_add-ons",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T18:34:15.454647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:35:56.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-plugin-4-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "4.9.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:59.152Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.9.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.9.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:52.933Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.9.2 - Content Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35680",
"datePublished": "2024-06-10T15:48:09.142Z",
"dateReserved": "2024-05-17T10:08:45.807Z",
"dateUpdated": "2026-04-28T16:09:52.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36395 (GCVE-0-2024-36395)
Vulnerability from cvelistv5 – Published: 2024-06-13 12:32 – Updated: 2024-08-02 03:37
VLAI
Title
Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Summary
Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
1 reference
Impacted products
Date Public
2024-06-13 12:29
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T19:21:13.023049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T19:21:21.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WFO",
"vendor": "Verint",
"versions": [
{
"lessThan": "Upgrade to version 15.2.1030 or greater.",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osher Assor"
}
],
"datePublic": "2024-06-13T12:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVerint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\u003c/span\u003e\n\n"
}
],
"value": "Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T12:32:22.905Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to version 15.2.1030 or greater.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to version 15.2.1030 or greater."
}
],
"source": {
"advisory": "ILVN-2024-0164",
"discovery": "UNKNOWN"
},
"title": "Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-36395",
"datePublished": "2024-06-13T12:32:22.905Z",
"dateReserved": "2024-05-27T13:04:44.111Z",
"dateUpdated": "2024-08-02T03:37:05.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37156 (GCVE-0-2024-37156)
Vulnerability from cvelistv5 – Published: 2024-06-06 16:03 – Updated: 2024-08-02 03:50
VLAI
Title
TokenController formName not sanitized in hidden input
Summary
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/sulu/SuluFormBundle/security/a… | x_refsource_CONFIRM |
| https://github.com/sulu/SuluFormBundle/commit/3f3… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sulu | SuluFormBundle |
Affected:
>=2.0.0, < 2.5.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T12:57:53.699448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T20:48:56.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3"
},
{
"name": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuluFormBundle",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e=2.0.0, \u003c 2.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T16:03:46.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3"
},
{
"name": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17"
}
],
"source": {
"advisory": "GHSA-rrvc-c7xg-7cf3",
"discovery": "UNKNOWN"
},
"title": "TokenController formName not sanitized in hidden input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37156",
"datePublished": "2024-06-06T16:03:46.771Z",
"dateReserved": "2024-06-03T17:29:38.329Z",
"dateUpdated": "2024-08-02T03:50:54.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37166 (GCVE-0-2024-37166)
Vulnerability from cvelistv5 – Published: 2024-06-10 21:29 – Updated: 2024-08-02 03:50
VLAI
Title
ghtml Cross-Site Scripting (XSS) vulnerability
Summary
ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities. Additionally, the backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either.
Severity
8.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gurgunday/ghtml/security/advis… | x_refsource_CONFIRM |
| https://github.com/gurgunday/ghtml/commit/df1ea50… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gurgunday:ghtml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ghtml",
"vendor": "gurgunday",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T13:48:07.690512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T13:54:00.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gurgunday/ghtml/security/advisories/GHSA-vvhj-v88f-5gxr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gurgunday/ghtml/security/advisories/GHSA-vvhj-v88f-5gxr"
},
{
"name": "https://github.com/gurgunday/ghtml/commit/df1ea50fe8968a766fd2b9379a8f9806375227f8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gurgunday/ghtml/commit/df1ea50fe8968a766fd2b9379a8f9806375227f8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ghtml",
"vendor": "gurgunday",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities. Additionally, the backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T21:29:28.578Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gurgunday/ghtml/security/advisories/GHSA-vvhj-v88f-5gxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gurgunday/ghtml/security/advisories/GHSA-vvhj-v88f-5gxr"
},
{
"name": "https://github.com/gurgunday/ghtml/commit/df1ea50fe8968a766fd2b9379a8f9806375227f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gurgunday/ghtml/commit/df1ea50fe8968a766fd2b9379a8f9806375227f8"
}
],
"source": {
"advisory": "GHSA-vvhj-v88f-5gxr",
"discovery": "UNKNOWN"
},
"title": "ghtml Cross-Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37166",
"datePublished": "2024-06-10T21:29:28.578Z",
"dateReserved": "2024-06-03T17:29:38.330Z",
"dateUpdated": "2024-08-02T03:50:54.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37297 (GCVE-0-2024-37297)
Vulnerability from cvelistv5 – Published: 2024-06-12 15:05 – Updated: 2024-08-02 03:50
VLAI
Title
WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
Summary
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/woocommerce/woocommerce/securi… | x_refsource_CONFIRM |
| https://github.com/woocommerce/woocommerce/commit… | x_refsource_MISC |
| https://github.com/woocommerce/woocommerce/commit… | x_refsource_MISC |
| https://developer.woocommerce.com/2024/06/10/deve… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| woocommerce | woocommerce |
Affected:
>= 8.8.0, < 8.8.5
Affected: >= 8.9.0, < 8.9.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T19:59:12.949157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T19:59:46.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf"
},
{
"name": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4"
},
{
"name": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67"
},
{
"name": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "woocommerce",
"vendor": "woocommerce",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.8.0, \u003c 8.8.5"
},
{
"status": "affected",
"version": "\u003e= 8.9.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML \u0026 JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content \u0026 data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T15:05:46.468Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf"
},
{
"name": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4"
},
{
"name": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67"
},
{
"name": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0"
}
],
"source": {
"advisory": "GHSA-cv23-q6gh-xfrf",
"discovery": "UNKNOWN"
},
"title": "WooCommerce has a Cross-Site Scripting Vulnerability in checkout \u0026 registration forms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37297",
"datePublished": "2024-06-12T15:05:46.468Z",
"dateReserved": "2024-06-05T20:10:46.496Z",
"dateUpdated": "2024-08-02T03:50:56.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation ID: MIT-30.1
Phase: Implementation
Strategy: Output Encoding
Description:
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation ID: MIT-43
Phase: Implementation
Description:
- With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation ID: MIT-31
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.