4.3
CVE-2024-33670
- EPSS 0.48%
- Veröffentlicht 26.04.2024 01:15:46
- Zuletzt bearbeitet 18.06.2025 19:16:31
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Passbolt ≫ Passbolt Api Version < 4.6.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.377 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://www.passbolt.com/security/more
https://help.passbolt.com/incidents/reflective-html-injection-vulnerability
https://www.passbolt.com/incidents