CVE-2024-39926

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-39926
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0
https://www.mgm-sp.com/cve/html-injection-in-vaultwarden
Configurations

No configuration.

History

11 Nov 2024, 21:15

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en Vaultwarden (anteriormente Bitwarden_RS) 1.30.3. Se descubrió una vulnerabilidad de inyección de HTML o de Cross-site Scripting (XSS) almacenado, debido a la CSP predeterminada, en el panel de control del administrador. Esto potencialmente permite que un atacante autenticado inyecte código malicioso en el panel de control, que luego se ejecuta o se muestra en el contexto del navegador de un administrador al visualizar el contenido inyectado. Sin embargo, es importante tener en cuenta que la Política de seguridad de contenido (CSP) predeterminada de la aplicación bloquea la mayoría de las rutas de explotación, lo que mitiga significativamente el impacto potencial.
References
  • () https://www.mgm-sp.com/cve/html-injection-in-vaultwarden -

13 Sep 2024, 20:35

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

13 Sep 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-13 18:15

Updated : 2024-11-11 21:15

NVD link : CVE-2024-39926

Mitre link : CVE-2024-39926

CVE.ORG link : CVE-2024-39926

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024