CVE-2024-11348 - Vulnerability Details - OpenCVE

ReportizFlow

Eura7 CMSmanager in version 4.6 and below is vulnerable to Reflected XSS attacks through manipulation of return GET request parameter sent to a specific endpoint. The vulnerability has been fixed by a patche patch 17012022 addressing all affected versions in use.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://cert.pl/en/posts/2025/01/CVE-2024-11348

History

Mon, 27 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Jan 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description		Eura7 CMSmanager in version 4.6 and below is vulnerable to Reflected XSS attacks through manipulation of return GET request parameter sent to a specific endpoint. The vulnerability has been fixed by a patche patch 17012022 addressing all affected versions in use.
Title		Reflected XSS in Eura7 CMSmanager
Weaknesses		CWE-79
References		https://cert.pl/en/posts/2025/01/CVE-2024-11348
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2025-01-27T13:16:02.584Z

Updated: 2025-01-27T19:36:28.619Z

Reserved: 2024-11-18T16:29:41.145Z

Link: CVE-2024-11348

Vulnrichment

Updated: 2025-01-27T19:36:24.373Z

NVD

Status : Deferred

Published: 2025-01-27T14:15:27.973

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-11348

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11348", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-11-18T16:29:41.145Z", "datePublished": "2025-01-27T13:16:02.584Z", "dateUpdated": "2025-01-27T19:36:28.619Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CMSmanager", "vendor": "Eura7", "versions": [{"changes": [{"at": "patch 17012022", "status": "unaffected"}], "lessThanOrEqual": "4.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sebastian Je\u017c"}], "datePublic": "2025-01-27T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Eura7 CMSmanager in version 4.6 and below <span style=\"background-color: rgb(252, 252, 252);\">is vulnerable to Reflected XSS attacks through manipulation of <i>return</i> GET request parameter sent to a specific<i> </i>endpoint.<br></span>The vulnerability has been fixed by a patche patch 17012022 addressing all affected versions in use. "}], "value": "Eura7 CMSmanager in version 4.6 and below\u00a0is vulnerable to Reflected XSS attacks through manipulation of\u00a0return GET request parameter sent to a specific\u00a0endpoint.\nThe vulnerability has been fixed by a patche\u00a0patch 17012022 addressing all affected versions in use."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-01-27T13:16:02.584Z"}, "references": [{"url": "https://cert.pl/en/posts/2025/01/CVE-2024-11348"}], "source": {"discovery": "UNKNOWN"}, "title": "Reflected XSS in Eura7 CMSmanager", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-27T19:36:18.497588Z", "id": "CVE-2024-11348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T19:36:28.619Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-27T19:36:18.497588Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-27T19:36:24.373Z"}}], "cna": {"title": "Reflected XSS in Eura7 CMSmanager", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sebastian Je\u017c"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eura7", "product": "CMSmanager", "versions": [{"status": "affected", "changes": [{"at": "patch 17012022", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.6"}], "defaultStatus": "unaffected"}], "datePublic": "2025-01-27T11:00:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2025/01/CVE-2024-11348"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Eura7 CMSmanager in version 4.6 and below\u00a0is vulnerable to Reflected XSS attacks through manipulation of\u00a0return GET request parameter sent to a specific\u00a0endpoint.\nThe vulnerability has been fixed by a patche\u00a0patch 17012022 addressing all affected versions in use.", "supportingMedia": [{"type": "text/html", "value": "Eura7 CMSmanager in version 4.6 and below <span style=\"background-color: rgb(252, 252, 252);\">is vulnerable to Reflected XSS attacks through manipulation of <i>return</i> GET request parameter sent to a specific<i> </i>endpoint.<br></span>The vulnerability has been fixed by a patche patch 17012022 addressing all affected versions in use. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-01-27T13:16:02.584Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11348", "state": "PUBLISHED", "dateUpdated": "2025-01-27T19:36:28.619Z", "dateReserved": "2024-11-18T16:29:41.145Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-01-27T13:16:02.584Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Eura7 CMSmanager in version 4.6 and below\u00a0is vulnerable to Reflected XSS attacks through manipulation of\u00a0return GET request parameter sent to a specific\u00a0endpoint.\nThe vulnerability has been fixed by a patche\u00a0patch 17012022 addressing all affected versions in use."}, {"lang": "es", "value": "Eura7 CMSmanager en la versi\u00f3n 4.6 y anteriores es vulnerable a ataques XSS reflejados mediante la manipulaci\u00f3n del par\u00e1metro de solicitud GET de retorno enviado a un endpoint espec\u00edfico. La vulnerabilidad ha sido corregida mediante un parche 17012022 que aborda todas las versiones afectadas en uso. "}], "id": "CVE-2024-11348", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-01-27T14:15:27.973", "references": [{"source": "[email protected]", "url": "https://cert.pl/en/posts/2025/01/CVE-2024-11348"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}