Lucene search

K
cvelistGitHub_MCVELIST:CVE-2024-22418
HistoryJan 18, 2024 - 8:44 p.m.

CVE-2024-22418 Stored Cross-site Scripting Vulnerability via Malicious File Names in GroupOffice

2024-01-1820:44:57
CWE-79
GitHub_M
www.cve.org
3
cross-site scripting
groupoffice
file upload
javascript
vulnerability
upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

0

Percentile

14.0%

Group-Office is an enterprise CRM and groupware tool. Affected versions are subject to a vulnerability which is present in the file upload mechanism of Group Office. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file’s name. For instance, using a filename such as “><img src>.jpg” triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This issue has been addressed in version 6.8.29. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "Intermesh",
    "product": "groupoffice",
    "versions": [
      {
        "version": "< 6.8.29",
        "status": "affected"
      }
    ]
  }
]

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

0

Percentile

14.0%

Related for CVELIST:CVE-2024-22418