Lucene search

Df4dee71-de3a-4139-9588-11b62fe6c0ffCVE-2024-25155

HistoryMar 13, 2024 - 3:15 p.m.

CVE-2024-25155

2024-03-1315:15:51

CWE-79

df4dee71-de3a-4139-9588-11b62fe6c0ff

web.nvd.nist.gov

filecatalyst

direct

3.8.8

3.8.6

url sanitization

vulnerability

cve-2024-25155

nvd

security

web server

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Direct"
    ],
    "product": "FileCatalyst",
    "vendor": "Fortra",
    "versions": [
      {
        "lessThan": "3.8.9",
        "status": "affected",
        "version": "3.8.6 ",
        "versionType": "semver"
      }
    ]
  }
]

References

filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html

www.fortra.com/security/advisory/fi-2024-003

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-25155