FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-34070

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: May 10, 2024

010
CVSS 9.6EPSS 0.04%Critical
CVE info copied to clipboard

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (998710)

May 10, 2024 at 7:53 AM
CVSS

A CVSS base score of 9.6 has been assigned.

May 10, 2024 at 3:30 PM / github_advisories
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.4%)

May 11, 2024 at 10:09 AM
CVE Assignment

NVD published the first details for CVE-2024-34070

May 14, 2024 at 3:38 PM
First Article

Feedly found the first article mentioning CVE-2024-34070. See article

May 14, 2024 at 3:45 PM / National Vulnerability Database
Static CVE Timeline Graph

Affected Systems

Froxlor/froxlor
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-x525-54hf-xr53] Blind XSS Leading to Froxlor Application Compromise
GitHub Advisory Database / 6mo
But the checks of the library were bypassed by crafting an XSS Payload using data binding and interpolation of Vue.js A working XSS payload was crafted which forces an administrator to add a new malicious attacker-controlled Administrator User. A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application.

News

Update Tue Jun 25 06:36:40 UTC 2024
Recent Commits to cve:main / 4mo
Update Tue Jun 25 06:36:40 UTC 2024
Update Sun Jun 16 01:57:53 UTC 2024
Recent Commits to cve:main / 5mo
Update Sun Jun 16 01:57:53 UTC 2024
Update Wed Jun 12 18:11:51 UTC 2024
Recent Commits to cve:main / 5mo
Update Wed Jun 12 18:11:51 UTC 2024
Update Fri May 31 10:02:51 UTC 2024
Recent Commits to cve:main / 5mo
Update Fri May 31 10:02:51 UTC 2024
Update Thu May 23 02:13:25 UTC 2024
Recent Commits to cve:main / 6mo
Update Thu May 23 02:13:25 UTC 2024
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.6(27010)CWE-79(31345)CWE-80(307)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial