CVE-2024-22220 - Vulnerability Details - OpenCVE

ReportizFlow

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Terminalfour	Formbank Terminalfour

Configuration 1 [-]

OR	cpe:2.3:a:terminalfour:formbank::::::::
	cpe:2.3:a:terminalfour:terminalfour::::::::
	cpe:2.3:a:terminalfour:terminalfour::::::::
	cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp2::::::
	cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp3::::::

No data.

References

Link	Providers
https://docs.terminalfour.com/articles/release-notes-highlights/
https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00203}`	epss `{'score': 0.00276}`

Thu, 08 May 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Terminalfour Terminalfour formbank Terminalfour terminalfour
CPEs		cpe:2.3:a:terminalfour:formbank:::::::: cpe:2.3:a:terminalfour:terminalfour:::::::: cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp2:::::: cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp3::::::
Vendors & Products		Terminalfour Terminalfour formbank Terminalfour terminalfour

Thu, 21 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-21T00:00:00

Updated: 2024-11-21T16:50:21.767Z

Reserved: 2024-01-08T00:00:00

Link: CVE-2024-22220

Vulnrichment

Updated: 2024-08-01T22:35:34.911Z

NVD

Status : Analyzed

Published: 2024-02-21T16:15:50.600

Modified: 2025-05-08T13:43:18.397

Link: CVE-2024-22220

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-22220", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-21T16:50:21.767Z", "dateReserved": "2024-01-08T00:00:00", "datePublished": "2024-02-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-21T15:58:50.111843"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://docs.terminalfour.com/articles/release-notes-highlights/"}, {"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-02-21T20:38:38.679246Z", "id": "CVE-2024-22220", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T16:50:21.767Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.911Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.terminalfour.com/articles/release-notes-highlights/", "tags": ["x_transferred"]}, {"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.terminalfour.com/articles/release-notes-highlights/", "tags": ["x_transferred"]}, {"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.911Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-22220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T20:38:38.679246Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:37.551Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://docs.terminalfour.com/articles/release-notes-highlights/"}, {"url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-21T15:58:50.111843"}}}, "cveMetadata": {"cveId": "CVE-2024-22220", "state": "PUBLISHED", "dateUpdated": "2024-11-21T16:50:21.767Z", "dateReserved": "2024-01-08T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-02-21T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:terminalfour:formbank:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A7A3AD4-E168-4AC0-B041-293831E43FDC", "versionEndIncluding": "2.1.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:terminalfour:terminalfour:*:*:*:*:*:*:*:*", "matchCriteriaId": "01DB8B69-B9A0-4D8C-9277-E61BF1FC9F2D", "versionEndExcluding": "7.4.0004", "versionStartIncluding": "7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:terminalfour:terminalfour:*:*:*:*:*:*:*:*", "matchCriteriaId": "13B78AE9-3CE1-4DA6-9331-9FB80DF715AF", "versionEndIncluding": "8.3.19", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp2:*:*:*:*:*:*", "matchCriteriaId": "EC41C3FA-D8AD-425B-AFDA-9994F3806BCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:terminalfour:terminalfour:7.4.0004:qp3:*:*:*:*:*:*", "matchCriteriaId": "15737F32-A5C2-401E-8DF4-F5615AAD6473", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Terminalfour 7.4 hasta 7.4.0004 QP3 y 8 hasta 8.3.19, y en Formbank hasta 2.1.10-FINAL. Pueden producirse Cross-Site Scripting Almacenado no autenticadas, con el consiguiente secuestro de sesi\u00f3n de administrador. Los vectores de ataque son Form Builder y Form Preview."}], "id": "CVE-2024-22220", "lastModified": "2025-05-08T13:43:18.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-21T16:15:50.600", "references": [{"source": "[email protected]", "tags": ["Release Notes"], "url": "https://docs.terminalfour.com/articles/release-notes-highlights/"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.terminalfour.com/articles/release-notes-highlights/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}