Lucene search

CERT-PLVULNRICHMENT:CVE-2024-7269

HistoryAug 28, 2024 - 10:29 a.m.

CVE-2024-7269 Stored XSS in ConnX ESP HR Management

2024-08-2810:29:48

CWE-79

CERT-PL

github.com

cve-2024-7269

stored xss

connx esp hr management

improper neutralization

input

web page generation

vulnerability

personal details update

vendor

esp hr management

version 6.6.

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

PASSIVE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

21.8%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Improper Neutralization of Input During Web Page Generation vulnerability in “Update of Personal Details” form in ConnX ESP HR Management allows Stored XSS attack. An attacker might inject a script to be run in user’s browser. After multiple attempts to contact the vendor we did not receive any answer. The finder provided the information that this issue affects ESP HR Management versions before 6.6.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:connx:esp_hr_management:*:*:*:*:*:*:*:*"
    ],
    "vendor": "connx",
    "product": "esp_hr_management",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "6.6",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert.pl/en/posts/2024/08/CVE-2024-7269/

cert.pl/posts/2024/08/CVE-2024-7269/

connx.com.au/