CVE-2024-40875 (GCVE-0-2024-40875)

Vulnerability from cvelistv5 – Published: 2024-12-20 20:17 – Updated: 2024-12-24 15:57
VLAI?
Summary
There is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.52. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator logs in. Attack complexity is high, attack requirements are present, privileges required are high, user interaction required is none. The impact to confidentiality is none, the impact to availability is low, and the impact to system integrity is high.
Severity ?
5.9 (Medium)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Absolute Software Secure Access Affected: 0 , < 13.52 (Server)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40875",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-24T15:56:55.279442Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-24T15:57:03.223Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Management Console"
          ],
          "product": "Secure Access",
          "vendor": "Absolute Software",
          "versions": [
            {
              "lessThan": "13.52",
              "status": "affected",
              "version": "0",
              "versionType": "Server"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high. \u003c/p\u003e"
            }
          ],
          "value": "There is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-20T20:17:27.132Z",
        "orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
        "shortName": "Absolute"
      },
      "references": [
        {
          "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site scripting vulnerability in the Secure Access administrative console prior to 13.52",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
    "assignerShortName": "Absolute",
    "cveId": "CVE-2024-40875",
    "datePublished": "2024-12-20T20:17:27.132Z",
    "dateReserved": "2024-07-10T20:40:17.120Z",
    "dateUpdated": "2024-12-24T15:57:03.223Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"There is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de cross site scripting en management console de Absolute Secure Access anterior a la versi\\u00f3n 13.52. Los atacantes con permisos de administrador del sistema pueden interferir con el uso de la consola de administraci\\u00f3n por parte de otro administrador del sistema cuando el segundo administrador inicia sesi\\u00f3n. La complejidad del ataque es alta, existen requisitos de ataque, se requieren muchos privilegios y no se requiere interacci\\u00f3n del usuario. El impacto en la confidencialidad es nulo, el impacto en la disponibilidad es bajo y el impacto en la integridad del sistema es alto.\"}]",
      "id": "CVE-2024-40875",
      "lastModified": "2024-12-20T21:15:08.290",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"SecurityResponse@netmotionsoftware.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"HIGH\", \"vulnerableSystemAvailability\": \"LOW\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-12-20T21:15:08.290",
      "references": "[{\"url\": \"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/\", \"source\": \"SecurityResponse@netmotionsoftware.com\"}]",
      "sourceIdentifier": "SecurityResponse@netmotionsoftware.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"SecurityResponse@netmotionsoftware.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40875\",\"sourceIdentifier\":\"SecurityResponse@netmotionsoftware.com\",\"published\":\"2024-12-20T21:15:08.290\",\"lastModified\":\"2024-12-20T21:15:08.290\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de cross site scripting en management console de Absolute Secure Access anterior a la versi\u00f3n 13.52. Los atacantes con permisos de administrador del sistema pueden interferir con el uso de la consola de administraci\u00f3n por parte de otro administrador del sistema cuando el segundo administrador inicia sesi\u00f3n. La complejidad del ataque es alta, existen requisitos de ataque, se requieren muchos privilegios y no se requiere interacci\u00f3n del usuario. El impacto en la confidencialidad es nulo, el impacto en la disponibilidad es bajo y el impacto en la integridad del sistema es alto.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/\",\"source\":\"SecurityResponse@netmotionsoftware.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-40875\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-24T15:56:55.279442Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-24T15:56:59.358Z\"}}], \"cna\": {\"title\": \"Cross-site scripting vulnerability in the Secure Access administrative console prior to 13.52\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-63\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-63 Cross-Site Scripting (XSS)\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Absolute Software\", \"modules\": [\"Management Console\"], \"product\": \"Secure Access\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"13.52\", \"versionType\": \"Server\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThere is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high. \u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"b6533044-ea05-4482-8458-7bddeca0d079\", \"shortName\": \"Absolute\", \"dateUpdated\": \"2024-12-20T20:17:27.132Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-40875\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-24T15:57:03.223Z\", \"dateReserved\": \"2024-07-10T20:40:17.120Z\", \"assignerOrgId\": \"b6533044-ea05-4482-8458-7bddeca0d079\", \"datePublished\": \"2024-12-20T20:17:27.132Z\", \"assignerShortName\": \"Absolute\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.