CVE-2024-7124 (GCVE-0-2024-7124)

Vulnerability from cvelistv5 – Published: 2024-11-14 15:07 – Updated: 2024-11-14 16:06
VLAI?
Title
Reflected XSS in DInGO dLibra
Summary
Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software in the parameter 'filter' in the endpoint 'indexsearch' allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/U:Green
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Poznan Supercomputing and Networking Center DInGO dLIbra Affected: 6.0 , < 6.3.20 (custom)
Create a notification for this product.
Credits
Kacper Rybczyński
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:poznan_supercomputing_and_networking_center:dingo_dlibra:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dingo_dlibra",
            "vendor": "poznan_supercomputing_and_networking_center",
            "versions": [
              {
                "lessThan": "6.3.20",
                "status": "affected",
                "version": "6.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7124",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-14T16:00:09.691686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-14T16:06:24.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DInGO dLIbra",
          "vendor": "Poznan Supercomputing and Networking Center",
          "versions": [
            {
              "lessThan": "6.3.20",
              "status": "affected",
              "version": "6.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kacper Rybczy\u0144ski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eImproper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\u0026nbsp;in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\u00a0in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-14T15:07:50.313Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2024/11/CVE-2024-7124/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/posts/2024/11/CVE-2024-7124/"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://dingo.psnc.pl/dlibra/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Reflected XSS in DInGO dLibra",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2024-7124",
    "datePublished": "2024-11-14T15:07:50.313Z",
    "dateReserved": "2024-07-26T06:14:05.930Z",
    "dateUpdated": "2024-11-14T16:06:24.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\\u00a0in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.\"}, {\"lang\": \"es\", \"value\": \"La vulnerabilidad de neutralizaci\\u00f3n inadecuada de la entrada durante la generaci\\u00f3n de p\\u00e1ginas web en el software DInGO dLibra en el par\\u00e1metro \u0027filter\u0027 del endpoint \u0027indexsearch\u0027 permite un ataque de Cross Site Scripting (XSS) reflejado. Un atacante podr\\u00eda enga\\u00f1ar a alguien para que use una URL manipulada, lo que har\\u00e1 que se ejecute un script en el navegador del usuario. Este problema afecta al software DInGO dLibra en las versiones 6.0 anteriores a la 6.3.20.\"}]",
      "id": "CVE-2024-7124",
      "lastModified": "2024-11-15T13:58:08.913",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"cvd@cert.pl\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:Green\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"PASSIVE\", \"vulnerableSystemConfidentiality\": \"LOW\", \"vulnerableSystemIntegrity\": \"LOW\", \"vulnerableSystemAvailability\": \"LOW\", \"subsequentSystemConfidentiality\": \"LOW\", \"subsequentSystemIntegrity\": \"LOW\", \"subsequentSystemAvailability\": \"LOW\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"YES\", \"recovery\": \"AUTOMATIC\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"GREEN\"}}]}",
      "published": "2024-11-14T15:15:09.177",
      "references": "[{\"url\": \"https://cert.pl/en/posts/2024/11/CVE-2024-7124/\", \"source\": \"cvd@cert.pl\"}, {\"url\": \"https://cert.pl/posts/2024/11/CVE-2024-7124/\", \"source\": \"cvd@cert.pl\"}, {\"url\": \"https://dingo.psnc.pl/dlibra/\", \"source\": \"cvd@cert.pl\"}]",
      "sourceIdentifier": "cvd@cert.pl",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"cvd@cert.pl\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-7124\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2024-11-14T15:15:09.177\",\"lastModified\":\"2024-11-15T13:58:08.913\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\u00a0in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web en el software DInGO dLibra en el par\u00e1metro \u0027filter\u0027 del endpoint \u0027indexsearch\u0027 permite un ataque de Cross Site Scripting (XSS) reflejado. Un atacante podr\u00eda enga\u00f1ar a alguien para que use una URL manipulada, lo que har\u00e1 que se ejecute un script en el navegador del usuario. Este problema afecta al software DInGO dLibra en las versiones 6.0 anteriores a la 6.3.20.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:Green\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"YES\",\"Recovery\":\"AUTOMATIC\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"GREEN\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2024/11/CVE-2024-7124/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://cert.pl/posts/2024/11/CVE-2024-7124/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://dingo.psnc.pl/dlibra/\",\"source\":\"cvd@cert.pl\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-7124\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-14T16:00:09.691686Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:poznan_supercomputing_and_networking_center:dingo_dlibra:*:*:*:*:*:*:*:*\"], \"vendor\": \"poznan_supercomputing_and_networking_center\", \"product\": \"dingo_dlibra\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.3.20\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-14T16:06:09.419Z\"}}], \"cna\": {\"title\": \"Reflected XSS in DInGO dLibra\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Kacper Rybczy\\u0144ski\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"AUTOMATIC\", \"baseScore\": 5.3, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/U:Green\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Poznan Supercomputing and Networking Center\", \"product\": \"DInGO dLIbra\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.3.20\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/11/CVE-2024-7124/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://cert.pl/posts/2024/11/CVE-2024-7124/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://dingo.psnc.pl/dlibra/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\\u00a0in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(252, 252, 252);\\\"\u003eImproper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software\u0026nbsp;in the parameter \u0027filter\u0027 in the endpoint \u0027indexsearch\u0027 allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user\u0027s browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2024-11-14T15:07:50.313Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-7124\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-14T16:06:24.925Z\", \"dateReserved\": \"2024-07-26T06:14:05.930Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2024-11-14T15:07:50.313Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.