Lucene search

[email protected]CVE-2024-4310

HistoryApr 29, 2024 - 1:15 p.m.

CVE-2024-4310

2024-04-2913:15:32

CWE-79

[email protected]

web.nvd.nist.gov

cross-site scripting

hubbank

session takeover

authentication

javascript payload

registration forms

profile forms

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

5.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.

Affected configurations

Vulners

Node

ofofonobshubbankRange≤1.0.2

VendorProductVersionCPE
ofofonobshubbank*cpe:2.3:*:ofofonobs:hubbank:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ofofonobs	hubbank	*	cpe:2.3::ofofonobs:hubbank::::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HubBank",
    "vendor": "Ofofonobs",
    "versions": [
      {
        "status": "affected",
        "version": "1.0.2"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank