mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 09:11:28 +00:00
84 lines
3.1 KiB
JSON
84 lines
3.1 KiB
JSON
{
|
|
"id": "CVE-2024-27477",
|
|
"sourceIdentifier": "cve@mitre.org",
|
|
"published": "2024-04-10T15:16:04.980",
|
|
"lastModified": "2024-11-21T09:04:39.973",
|
|
"vulnStatus": "Awaiting Analysis",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "En Leantime 3.0.6, existe una vulnerabilidad de Cross-Site Scripting dentro de la funcionalidad de creaci\u00f3n y modificaci\u00f3n de tickets, lo que permite a los atacantes inyectar c\u00f3digo JavaScript malicioso en el campo de t\u00edtulo de los tickets (tambi\u00e9n conocido como tareas pendientes). Esta vulnerabilidad XSS almacenada se puede aprovechar para realizar ataques de Server-Side Request Forgery (SSRF)."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
|
"baseScore": 6.1,
|
|
"baseSeverity": "MEDIUM",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "REQUIRED",
|
|
"scope": "CHANGED",
|
|
"confidentialityImpact": "LOW",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "NONE"
|
|
},
|
|
"exploitabilityScore": 2.8,
|
|
"impactScore": 2.7
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-79"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://drive.proton.me/urls/35CKB8RV04#sEubCKVOuXqt",
|
|
"source": "cve@mitre.org"
|
|
},
|
|
{
|
|
"url": "https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Tickets/Controllers/ShowTicket.php#L20",
|
|
"source": "cve@mitre.org"
|
|
},
|
|
{
|
|
"url": "https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md",
|
|
"source": "cve@mitre.org"
|
|
},
|
|
{
|
|
"url": "https://drive.proton.me/urls/35CKB8RV04#sEubCKVOuXqt",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108"
|
|
},
|
|
{
|
|
"url": "https://github.com/Leantime/leantime/blob/264a7dbc2c9b18f574821bf27dd568a287ee8498/app/Domain/Tickets/Controllers/ShowTicket.php#L20",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108"
|
|
},
|
|
{
|
|
"url": "https://github.com/dead1nfluence/Leantime-POC/blob/main/README.md",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108"
|
|
},
|
|
{
|
|
"url": "https://www.vicarius.io/vsociety/posts/analyzing-leantime-xss-for-the-fun-time-diving-into-cve-2024-27477-for-a-beginner",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108"
|
|
}
|
|
]
|
|
} |