Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
References
Configurations
No configuration.
History
21 Nov 2024, 09:17
Type | Values Removed | Values Added |
---|---|---|
References | () https://help.passbolt.com/incidents/reflective-html-injection-vulnerability - | |
References | () https://www.passbolt.com/incidents - | |
References | () https://www.passbolt.com/security/more - |
03 Jul 2024, 01:58
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-79 | |
Summary |
|
26 Apr 2024, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-26 01:15
Updated : 2024-11-21 09:17
NVD link : CVE-2024-33670
Mitre link : CVE-2024-33670
CVE.ORG link : CVE-2024-33670
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')