CVE-2024-4302
Vulnerability from cvelistv5
Published
2024-04-29 05:46
Modified
2024-08-01 20:33
Summary
Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.
Impacted products
Vendor Product Version
Super 8 livechat SDK Version: earlier   <
Create a notification for this product.
Show details on NVD website


{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:super_8:livechat_SDK:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "livechat_SDK",
                  vendor: "super_8",
                  versions: [
                     {
                        status: "affected",
                        version: "*",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-4302",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-04-29T13:09:20.761927Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-04T17:55:24.266Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T20:33:53.106Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "third-party-advisory",
                     "x_transferred",
                  ],
                  url: "https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "livechat SDK",
               vendor: "Super 8",
               versions: [
                  {
                     lessThanOrEqual: "4.5.0",
                     status: "affected",
                     version: "earlier",
                     versionType: "custom",
                  },
               ],
            },
         ],
         datePublic: "2024-04-29T05:44:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.",
                  },
               ],
               value: "Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.",
            },
         ],
         impacts: [
            {
               capecId: "CAPEC-592",
               descriptions: [
                  {
                     lang: "en",
                     value: "CAPEC-592 Stored XSS",
                  },
               ],
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.1,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-79",
                     description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-04-29T05:46:52.134Z",
            orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            shortName: "twcert",
         },
         references: [
            {
               tags: [
                  "third-party-advisory",
               ],
               url: "https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Update to 4.6.0 or later version(Patch has been released on 2024/3/18. Please refreshing the webpage to automatically update it.)",
                  },
               ],
               value: "Update to 4.6.0 or later version(Patch has been released on 2024/3/18. Please refreshing the webpage to automatically update it.)",
            },
         ],
         source: {
            advisory: "\tTVN-202404013",
            discovery: "EXTERNAL",
         },
         title: "Super 8 livechat SDK - Cross-site Scripting",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
      assignerShortName: "twcert",
      cveId: "CVE-2024-4302",
      datePublished: "2024-04-29T05:46:52.134Z",
      dateReserved: "2024-04-29T03:23:14.861Z",
      dateUpdated: "2024-08-01T20:33:53.106Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.\"}, {\"lang\": \"es\", \"value\": \"La plataforma de servicio al cliente en l\\u00ednea Super 8 Live Chat no filtra adecuadamente la entrada del usuario, lo que permite a atacantes remotos no autenticados insertar c\\u00f3digo JavaScript en el cuadro de chat. Cuando el destinatario del mensaje ve el mensaje, se vuelve susceptible a ataques de cross site scripting (XSS).\"}]",
         id: "CVE-2024-4302",
         lastModified: "2024-11-21T09:42:34.747",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"twcert@cert.org.tw\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
         published: "2024-04-29T06:15:17.803",
         references: "[{\"url\": \"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\", \"source\": \"twcert@cert.org.tw\"}, {\"url\": \"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
         sourceIdentifier: "twcert@cert.org.tw",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"twcert@cert.org.tw\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-4302\",\"sourceIdentifier\":\"twcert@cert.org.tw\",\"published\":\"2024-04-29T06:15:17.803\",\"lastModified\":\"2024-11-21T09:42:34.747\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.\"},{\"lang\":\"es\",\"value\":\"La plataforma de servicio al cliente en línea Super 8 Live Chat no filtra adecuadamente la entrada del usuario, lo que permite a atacantes remotos no autenticados insertar código JavaScript en el cuadro de chat. Cuando el destinatario del mensaje ve el mensaje, se vuelve susceptible a ataques de cross site scripting (XSS).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\",\"source\":\"twcert@cert.org.tw\"},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:33:53.106Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4302\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-29T13:09:20.761927Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:super_8:livechat_SDK:*:*:*:*:*:*:*:*\"], \"vendor\": \"super_8\", \"product\": \"livechat_SDK\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-29T13:11:47.307Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Super 8 livechat SDK - Cross-site Scripting\", \"source\": {\"advisory\": \"\\tTVN-202404013\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592 Stored XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Super 8\", \"product\": \"livechat SDK\", \"versions\": [{\"status\": \"affected\", \"version\": \"earlier\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.5.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to 4.6.0 or later version\\uff08Patch has been released on 2024/3/18. Please refreshing the webpage to automatically update it.\\uff09\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to 4.6.0 or later version\\uff08Patch has been released on 2024/3/18. Please refreshing the webpage to automatically update it.\\uff09\", \"base64\": false}]}], \"datePublic\": \"2024-04-29T05:44:00.000Z\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-7779-35562-1.html\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}]}], \"providerMetadata\": {\"orgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"shortName\": \"twcert\", \"dateUpdated\": \"2024-04-29T05:46:52.134Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-4302\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:33:53.106Z\", \"dateReserved\": \"2024-04-29T03:23:14.861Z\", \"assignerOrgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"datePublished\": \"2024-04-29T05:46:52.134Z\", \"assignerShortName\": \"twcert\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.