Lucene search

[email protected]NVD:CVE-2023-31434

HistoryMay 02, 2023 - 8:15 p.m.

CVE-2023-31434

2023-05-0220:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-31434

user profile

direct links

html code injection

xss payloads

input validation

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

23.5%

JSON

The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations.

Affected configurations

Nvd

Node

evasysevasysMatch8.2-

evasysevasysMatch9.0-

VendorProductVersionCPE
evasysevasys8.2cpe:2.3:a:evasys:evasys:8.2:-:*:*:*:*:*:*
evasysevasys9.0cpe:2.3:a:evasys:evasys:9.0:-:*:*:*:*:*:*

Vendor	Product	Version	CPE
evasys	evasys	8.2	cpe:2.3:a:evasys:evasys:8.2:-::::::
evasys	evasys	9.0	cpe:2.3:a:evasys:evasys:9.0:-::::::

References

cves.at/posts/cve-2023-31434/writeup/