Lucene search

INCIBECVELIST:CVE-2024-33981

HistoryAug 06, 2024 - 11:06 a.m.

CVE-2024-33981 Cross-site Scripting in Janobe products

2024-08-0611:06:40

CWE-79

INCIBE

www.cve.org

cross-site scripting

janobe products

session cookie

specially crafted url

version 1.0

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

17.7%

JSON

Cross-Site Scripting (XSS) vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could create a specially crafted URL and send it to a victim to obtain details of their session cookie via the ‘start’ parameter in ‘/admin/mod_reports/index.php’.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Janobe PayPal",
    "vendor": "Janobe",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Credit Card",
    "vendor": "Janobe",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Debit Card Payment",
    "vendor": "Janobe",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janobe-products