CVE-2024-25627

Exploit

EPSS 0.46%
Published 16.02.2024 21:15:08
Last modified 18.12.2024 19:34:36
Source security-advisories@github.com
Teams watchlist Login
Open Login

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Alf ≫ Alf Version < 2.0-m4-2304

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.46%	0.634

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	3.5	0.9	2.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-25627

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25627

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25627

EUVD