CVE-2024-51380

Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the injected script is executed in the admin's browser, which could lead to unauthorized actions, including account compromise and privilege escalation.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://hacking-notes.medium.com/cve-2024-51380-jatos-v3-9-3-stored-xss-properties-component-44aea338ee9c

Configurations

No configuration.

History

06 Nov 2024, 17:35

Type	Values Removed	Values Added
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.4
Summary		(es) Vulnerabilidad de Cross Site Scripting (XSS) almacenado descubierta en el componente Propiedades de JATOS v3.9.3. Este fallo permite a un atacante inyectar código JavaScript malicioso en la sección de propiedades de un estudio, específicamente en el campo UUID. Cuando un usuario administrador accede a las propiedades del estudio, el código inyectado se ejecuta en el navegador del administrador, lo que podría provocar acciones no autorizadas, como la vulneración de la cuenta y la escalada de privilegios.

05 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-05 19:15

Updated : 2024-11-06 18:17

NVD link : CVE-2024-51380

Mitre link : CVE-2024-51380

CVE.ORG link : CVE-2024-51380

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.4 /10