CVE-2024-10038

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Nov 13, 2024 / Updated: 7d ago

010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard

The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-10038

Nov 13, 2024 at 2:15 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Nov 13, 2024 at 2:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-10038. See article

Nov 13, 2024 at 2:22 AM / Vulners.com RSS Feed
EPSS

EPSS Score was set to: 0.05% (Percentile: 18.3%)

Nov 13, 2024 at 1:37 PM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

News

CVE-2024-10038
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-10038
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been...
Content warning: CMANON WP-STRAVA CVE-2024-10038 CVE-2024-10038 WP-Strava https://www. cve.org/CVERecord?id=CVE-2024- 10038 https://www. wordfence.com/threat-intel/vul nerabilities/id/9f200526-890c-4a2a-9d8e-334443ef7e0b?source=cve https:// github.com/cmanon/wp-strava/bl ob/5b9499dab0eeada3887e5b64cf471e7978147154/src/WPStrava/Auth.php#L92-L93 # cmanon # WP -Strava # CVE_2024_10038 # bot
CVE-2024-10038 | WP-Strava Plugin up to 2.12.1 on WordPress cross site scripting
A vulnerability has been found in WP-Strava Plugin up to 2.12.1 on WordPress and classified as problematic . Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-10038 . The attack can be launched remotely. There is no exploit available.

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI