admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-12 02:04:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-393xx/CVE-2024-39311.json
cad-safe-bot 865d8c9414 Auto-Update: 2025-04-20T02:01:32.812855+00:00
2025-04-20 02:05:18 +00:00

150 lines
6.0 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-39311",
"sourceIdentifier": "security-advisories@github.com",
"published": "2025-03-28T15:15:44.647",
"lastModified": "2025-04-14T14:24:49.550",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the `publify_core` rubygem, publisher on a `publify` application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the `publify_core` rubygem fix the issue."
},
{
"lang": "es",
"value": "Publify es una plataforma de publicaci\u00f3n web autoalojada en Rails. Antes de la versi\u00f3n 10.0.1 de Publify, correspondiente a las versiones anteriores a la 10.0.2 de la gema `publify_core`, un editor en una aplicaci\u00f3n `publify` pod\u00eda realizar un ataque de Cross Site Scripting (XSS) contra un administrador mediante la funci\u00f3n de redireccionamiento. Para explotar esta vulnerabilidad XSS, el administrador debe hacer clic en un enlace malicioso. Un ataque podr\u00eda intentar ocultar su payload mediante HTML u otras codificaciones para que el administrador no note que se trata de un enlace malicioso. Un editor podr\u00eda intentar aprovechar esta vulnerabilidad para aumentar sus privilegios y convertirse en administrador. Las versiones 10.0.1 de Publify y 10.0.2 de la gema `publify_core` solucionan el problema."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 1.8,
"baseSeverity": "LOW",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "HIGH",
"userInteraction": "ACTIVE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"subAvailabilityImpact": "NONE",
"exploitMaturity": "PROOF_OF_CONCEPT",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
],
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:publify:publify:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.1",
"matchCriteriaId": "87C5F03F-C0E9-41ED-B498-E03CF3CA27DF"
}
]
}
]
},
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:publify:publify_core:*:*:*:*:*:ruby:*:*",
"versionEndExcluding": "10.0.2",
"matchCriteriaId": "17C10FE3-54A1-4D58-8A4E-9F6A58C69B5D"
}
]
}
]
}
],
"references": [
{
"url": "https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q",
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
]
},
{
"url": "https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q",
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink