cve-2024-40875
Vulnerability from cvelistv5
Published
2024-12-20 20:17
Modified
2024-12-20 20:17
Severity ?
5.9 (Medium) - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Summary
There is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.52. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator logs in. Attack complexity is high, attack requirements are present, privileges required are high, user interaction required is none. The impact to confidentiality is none, the impact to availability is low, and the impact to system integrity is high.
References
SecurityResponse@netmotionsoftware.comhttps://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Management Console"
          ],
          "product": "Secure Access",
          "vendor": "Absolute Software",
          "versions": [
            {
              "lessThan": "13.52",
              "status": "affected",
              "version": "0",
              "versionType": "Server"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high. \u003c/p\u003e"
            }
          ],
          "value": "There is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-20T20:17:27.132Z",
        "orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
        "shortName": "Absolute"
      },
      "references": [
        {
          "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site scripting vulnerability in the Secure Access administrative console prior to 13.52",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
    "assignerShortName": "Absolute",
    "cveId": "CVE-2024-40875",
    "datePublished": "2024-12-20T20:17:27.132Z",
    "dateReserved": "2024-07-10T20:40:17.120Z",
    "dateUpdated": "2024-12-20T20:17:27.132Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40875\",\"sourceIdentifier\":\"SecurityResponse@netmotionsoftware.com\",\"published\":\"2024-12-20T21:15:08.290\",\"lastModified\":\"2024-12-20T21:15:08.290\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"LOW\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/\",\"source\":\"SecurityResponse@netmotionsoftware.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.