CVE-2024-8750

Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view).

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-synetics-idoit-pro	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:i-doit:i-doit:28:*:*:*:pro:*:*:*

History

No history.

Information

Published : 2024-09-12 12:15

Updated : 2024-09-18 20:38

NVD link : CVE-2024-8750

Mitre link : CVE-2024-8750

CVE.ORG link : CVE-2024-8750

JSON object : View

Products Affected

i-doit

i-doit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-8750", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-09-12T12:15:54.007", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-synetics-idoit-pro", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view)."}, {"lang": "es", "value": "Vulnerabilidad de Cross-site Scripting (XSS) en idoit pro versi\u00f3n 28. Esta vulnerabilidad permite a un atacante recuperar detalles de la sesi\u00f3n de un usuario autenticado debido a la falta de una desinfecci\u00f3n adecuada de los siguientes par\u00e1metros (id,lang,mNavID,name,pID,treeNode,type,view)."}], "lastModified": "2024-09-18T20:38:42.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:i-doit:i-doit:28:*:*:*:pro:*:*:*", "vulnerable": true, "matchCriteriaId": "85C33B1A-464B-4A24-8100-6FB8D2128D41"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}