CVE-2024-10652 - Vulnerability Details - OpenCVE

ReportizFlow

IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.twcert.org.tw/en/cp-139-8173-f8bbc-2.html
https://www.twcert.org.tw/tw/cp-132-8172-a02cc-1.html

History

Fri, 01 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 Nov 2024 10:15:00 +0000

Type	Values Removed	Values Added
Description		IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks.
Title		CHANGING Information Technology IDExpert - Reflected XSS
Weaknesses		CWE-79
References		https://www.twcert.org.tw/en/cp-139-8173-f8bbc-2.html https://www.twcert.org.tw/tw/cp-132-8172-a02cc-1.html
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-11-01T09:56:32.011Z

Updated: 2024-11-01T13:31:48.852Z

Reserved: 2024-11-01T02:36:01.192Z

Link: CVE-2024-10652

Vulnrichment

Updated: 2024-11-01T13:31:44.828Z

NVD

Status : Deferred

Published: 2024-11-01T10:15:04.877

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-10652

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10652", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-11-01T02:36:01.192Z", "datePublished": "2024-11-01T09:56:32.011Z", "dateUpdated": "2024-11-01T13:31:48.852Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IDExpert", "vendor": "CHANGING Information Technology", "versions": [{"lessThanOrEqual": "2.8", "status": "affected", "version": "2.5", "versionType": "custom"}]}], "datePublic": "2024-11-01T09:54:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks.</span>"}], "value": "IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-01T09:56:32.011Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-8172-a02cc-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-8173-f8bbc-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 2.8.0.0523 or later."}], "value": "Update to version 2.8.0.0523 or later."}], "source": {"advisory": "TVN-202410025", "discovery": "EXTERNAL"}, "title": "CHANGING Information Technology IDExpert - Reflected XSS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-01T13:31:40.351634Z", "id": "CVE-2024-10652", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T13:31:48.852Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-01T13:31:40.351634Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T13:31:44.828Z"}}], "cna": {"title": "CHANGING Information Technology IDExpert - Reflected XSS", "source": {"advisory": "TVN-202410025", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CHANGING Information Technology", "product": "IDExpert", "versions": [{"status": "affected", "version": "2.5", "versionType": "custom", "lessThanOrEqual": "2.8"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to version 2.8.0.0523 or later.", "supportingMedia": [{"type": "text/html", "value": "Update to version 2.8.0.0523 or later.", "base64": false}]}], "datePublic": "2024-11-01T09:54:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-8172-a02cc-1.html", "tags": ["third-party-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-8173-f8bbc-2.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-01T09:56:32.011Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10652", "state": "PUBLISHED", "dateUpdated": "2024-11-01T13:31:48.852Z", "dateReserved": "2024-11-01T02:36:01.192Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-11-01T09:56:32.011Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}