CVE-2024-9077

A vulnerability classified as problematic has been found in dingfangzu up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. Affected is an unknown function of the file scripts/order.js of the component Order Checkout. The manipulation of the argument address-name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:gitapp:dingfanzu:*:*:*:*:*:*:*:*

History

27 Sep 2024, 16:31

Type Values Removed Values Added
CPE cpe:2.3:a:gitapp:dingfanzu:*:*:*:*:*:*:*:*
First Time Gitapp dingfanzu
Gitapp
CVSS v2 : 4.0
v3 : 3.5
v2 : 4.0
v3 : 5.4
References () https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/dingfanzu-CMS/dingfanzu-CMS%20order_confirm.html%20Ship-Address%20Stored%20Cross-Site%20Scripting(XSS).md - () https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/dingfanzu-CMS/dingfanzu-CMS%20order_confirm.html%20Ship-Address%20Stored%20Cross-Site%20Scripting(XSS).md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.278244 - () https://vuldb.com/?ctiid.278244 - Permissions Required, Third Party Advisory, VDB Entry
References () https://vuldb.com/?id.278244 - () https://vuldb.com/?id.278244 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.407527 - () https://vuldb.com/?submit.407527 - Third Party Advisory, VDB Entry

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Se ha encontrado una vulnerabilidad clasificada como problemática en dingfangzu hasta 29d67d9044f6f93378e6eb6ff92272217ff7225c. Se ve afectada una función desconocida del archivo scripts/order.js del componente Order Checkout. La manipulación del argumento address-name provoca cross site scripting. Es posible lanzar el ataque de forma remota. El exploit se ha divulgado al público y puede utilizarse. Este producto utiliza una versión continua para proporcionar una entrega continua. Por lo tanto, no hay detalles de las versiones afectadas ni de las versiones actualizadas disponibles. Se contactó primeramente con el proveedor sobre esta divulgación, pero no respondió de ninguna manera.

22 Sep 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-22 02:15

Updated : 2024-09-27 16:31


NVD link : CVE-2024-9077

Mitre link : CVE-2024-9077

CVE.ORG link : CVE-2024-9077


JSON object : View

Products Affected

gitapp

  • dingfanzu
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')