Lucene search

INCIBEVULNRICHMENT:CVE-2024-4337

HistoryApr 30, 2024 - 9:33 a.m.

CVE-2024-4337 Múltiple vulnerabilities on Adive Framework

2024-04-3009:33:46

CWE-79

INCIBE

github.com

adive framework

cross-site scripting

user-controlled inputs

authentication

session retrieval

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

AI Score

5.8

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-adive-framework