CVE-2024-37392

A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code into an SMS message, which gets executed when the SMS is viewed and specially interacted in web-GUI.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-cve-2024-37392/

Configurations

Configuration 1 (hide)

cpe:2.3:a:smseagle:smseagle:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-23 21:15

Updated : 2025-03-20 14:15

NVD link : CVE-2024-37392

Mitre link : CVE-2024-37392

CVE.ORG link : CVE-2024-37392

JSON object : View

Products Affected

smseagle

smseagle

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-37392", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-08-23T21:15:07.253", "references": [{"url": "https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-cve-2024-37392/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code into an SMS message, which gets executed when the SMS is viewed and specially interacted in web-GUI."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en la versi\u00f3n del software SMSEagle < 6.0. La vulnerabilidad surge porque la aplicaci\u00f3n no desinfect\u00f3 adecuadamente la entrada del usuario en los mensajes SMS en la bandeja de entrada. Esto podr\u00eda permitir a un atacante inyectar c\u00f3digo JavaScript malicioso en un mensaje SMS, que se ejecuta cuando el SMS se ve y se interact\u00faa especialmente en la GUI web."}], "lastModified": "2025-03-20T14:15:19.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smseagle:smseagle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81C8A1F4-B480-4AC9-93F1-047DE326D2AF", "versionEndExcluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}