6.3

CVE-2024-22220

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TerminalfourFormbank Version <= 2.1.10
TerminalfourTerminalfour Version >= 7.4 < 7.4.0004
TerminalfourTerminalfour Version >= 8.0.0 <= 8.3.19
TerminalfourTerminalfour Version7.4.0004 Updateqp2
TerminalfourTerminalfour Version7.4.0004 Updateqp3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.285
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://docs.terminalfour.com/articles/release-notes-highlights/
Release Notes
https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22220/
Vendor Advisory