Lucene search

FortraCVELIST:CVE-2024-25155

HistoryMar 13, 2024 - 2:15 p.m.

CVE-2024-25155 Reflected Cross-Site Scripting (XSS) in FileCatalyst Direct 3.8.8 and earlier

2024-03-1314:15:54

CWE-79

Fortra

www.cve.org

cve-2024-25155

reflected cross-site scripting

filecatalyst direct

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Direct"
    ],
    "product": "FileCatalyst",
    "vendor": "Fortra",
    "versions": [
      {
        "lessThan": "3.8.9",
        "status": "affected",
        "version": "3.8.6 ",
        "versionType": "semver"
      }
    ]
  }
]

References

filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html

www.fortra.com/security/advisory/fi-2024-003

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-25155