FKIE_CVE-2024-45879

Vulnerability from fkie_nvd - Published: 2024-11-13 21:15 - Updated: 2024-11-21 22:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site Scripting (XSS). To exploit the persistent XSS vulnerability, an attacker has to be authenticated to the application that uses the "TOPqw Webportal" as a software. When authenticated, the attacker can persistently place the malicious JavaScript code in the "QWKalkulation" menu.'
References
cve@mitre.orghttps://cyber.wtf/2024/11/11/topqw-webportal-cves/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The file upload function in the \"QWKalkulation\" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site Scripting (XSS). To exploit the persistent XSS vulnerability, an attacker has to be authenticated to the application that uses the \"TOPqw Webportal\" as a software. When authenticated, the attacker can persistently place the malicious JavaScript code in the \"QWKalkulation\" menu.\u0027"
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n de carga de archivos de la herramienta \"QWKalkulation\" de baltic-it TOPqw Webportal v1.35.287.1 (corregido en la versi\u00f3n 1.35.291), en /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, es vulnerable a Cross-Site Scripting (XSS). Para explotar la vulnerabilidad XSS persistente, un atacante debe estar autenticado en la aplicaci\u00f3n que utiliza el \"TOPqw Webportal\" como software. Una vez autenticado, el atacante puede colocar de forma persistente el c\u00f3digo JavaScript malicioso en el men\u00fa \"QWKalkulation\"."
    }
  ],
  "id": "CVE-2024-45879",
  "lastModified": "2024-11-21T22:15:09.093",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-13T21:15:29.093",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://cyber.wtf/2024/11/11/topqw-webportal-cves/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.