CVE-2024-1529

Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple

Configurations

No configuration.

History

21 Nov 2024, 08:50

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad en CMS Made Simple 2.2.14, que no codifica suficientemente la entrada controlada por el usuario, lo que resulta en una vulnerabilidad de Cross Site Scripting (XSS) a través de /admin/adduser.php, en múltiples parámetros. Esta vulnerabilidad podría permitir que un atacante remoto envíe un payload de JavaScript especialmente manipulada a un usuario autenticado y se apodere parcialmente de su sesión de navegador.
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cms-made-simple -

12 Mar 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-12 16:15

Updated : 2024-11-21 08:50

NVD link : CVE-2024-1529

Mitre link : CVE-2024-1529

CVE.ORG link : CVE-2024-1529

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.4 /10