CVE-2024-52943

An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24697. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting (XSS) while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.veritas.com/support/en_US/security/VTS24-013	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:veritas:enterprise_vault:*:*:*:*:*:*:*:*

History

30 Apr 2025, 16:18

Type	Values Removed	Values Added
First Time		Veritas enterprise Vault Veritas
References	~~() https://www.veritas.com/support/en_US/security/VTS24-013 -~~	() https://www.veritas.com/support/en_US/security/VTS24-013 - Vendor Advisory
CPE		cpe:2.3:a:veritas:enterprise_vault::::::::

18 Mar 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-79

11 Dec 2024, 15:15

Type	Values Removed	Values Added
CWE	~~CWE-79~~

05 Dec 2024, 21:15

Type	Values Removed	Values Added
CWE		CWE-79

Information

Published : 2024-11-18 06:15

Updated : 2025-04-30 16:18

NVD link : CVE-2024-52943

Mitre link : CVE-2024-52943

CVE.ORG link : CVE-2024-52943

JSON object : View

Products Affected

veritas

enterprise_vault

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-52943", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-11-18T06:15:05.793", "references": [{"url": "https://www.veritas.com/support/en_US/security/VTS24-013", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Veritas Enterprise Vault before 15.1 UPD882911, ZDI-CAN-24697. It allows an authenticated remote attacker to inject a parameter into an HTTP request, allowing for Cross-Site Scripting (XSS) while viewing archived content. This could reflect back to an authenticated user without sanitization if executed by that user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Veritas Enterprise Vault anterior a la versi\u00f3n 15.1 UPD882911, ZDI-CAN-24697. Permite que un atacante remoto autenticado inyecte un par\u00e1metro en una solicitud HTTP, lo que permite la ejecuci\u00f3n de cross site scripting (XSS) mientras se visualiza contenido archivado. Esto podr\u00eda reflejarse en un usuario autenticado sin desinfecci\u00f3n si lo ejecuta ese usuario."}], "lastModified": "2025-04-30T16:18:57.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:veritas:enterprise_vault:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48F303BF-0D12-431D-9F1C-68001BC4E870", "versionEndExcluding": "15.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}