CVE-2024-8942 - Vulnerability Details - OpenCVE

ReportizFlow

Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the “id_form_msg_title” parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Scriptcase	Scriptcase

Configuration 1 [-]

cpe:2.3:a:scriptcase:scriptcase:9.4.019:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase

History

Mon, 30 Sep 2024 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Scriptcase Scriptcase scriptcase
CPEs		cpe:2.3:a:scriptcase:scriptcase:9.4.019:::::::*
Vendors & Products		Scriptcase Scriptcase scriptcase

Tue, 24 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Sep 2024 12:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the “id_form_msg_title” parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials.
Title		Cross-site Scripting vulnerability on Scriptcase
Weaknesses		CWE-79
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-09-24T11:51:49.722Z

Updated: 2024-09-24T13:26:07.233Z

Reserved: 2024-09-17T09:43:48.913Z

Link: CVE-2024-8942

Vulnrichment

Updated: 2024-09-24T13:26:01.461Z

NVD

Status : Analyzed

Published: 2024-09-25T01:15:48.483

Modified: 2024-09-30T17:39:28.417

Link: CVE-2024-8942

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8942", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-09-17T09:43:48.913Z", "datePublished": "2024-09-24T11:51:49.722Z", "dateUpdated": "2024-09-24T13:26:07.233Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Scriptcase", "vendor": "Scriptcase", "versions": [{"status": "affected", "version": "9.4.019"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "datePublic": "2024-09-17T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the \u201cid_form_msg_title\u201d parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials."}], "value": "Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the \u201cid_form_msg_title\u201d parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-09-24T11:51:49.722Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been fixed in the latest version.<br>"}], "value": "The vulnerability has been fixed in the latest version."}], "source": {"discovery": "EXTERNAL"}, "title": "Cross-site Scripting vulnerability on Scriptcase", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T13:05:56.263402Z", "id": "CVE-2024-8942", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T13:26:07.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8942", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T13:05:56.263402Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T13:26:01.461Z"}}], "cna": {"title": "Cross-site Scripting vulnerability on Scriptcase", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Scriptcase", "product": "Scriptcase", "versions": [{"status": "affected", "version": "9.4.019"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed in the latest version.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been fixed in the latest version.<br>", "base64": false}]}], "datePublic": "2024-09-17T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the \u201cid_form_msg_title\u201d parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the \u201cid_form_msg_title\u201d parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-09-24T11:51:49.722Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8942", "state": "PUBLISHED", "dateUpdated": "2024-09-24T13:26:07.233Z", "dateReserved": "2024-09-17T09:43:48.913Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-09-24T11:51:49.722Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scriptcase:scriptcase:9.4.019:*:*:*:*:*:*:*", "matchCriteriaId": "FE28A6BC-9B6D-4F25-9828-8D806FA48470", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the \u201cid_form_msg_title\u201d parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials."}, {"lang": "es", "value": "Vulnerabilidad en Scriptcase versi\u00f3n 9.4.019 que consiste en un Cross-Site Scripting (XSS), debido a la falta de validaci\u00f3n de entrada, afectando al par\u00e1metro \u201cid_form_msg_title\u201d, entre otros. Esta vulnerabilidad podr\u00eda permitir a un usuario remoto enviar una URL especialmente manipulada a una v\u00edctima y recuperar sus credenciales."}], "id": "CVE-2024-8942", "lastModified": "2024-09-30T17:39:28.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-09-25T01:15:48.483", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-scriptcase"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}