exploitDog

CVE-2024-25627

Опубликовано: 16 фев. 2024

Источник: nvd

CVSS3: 3.5

CVSS3: 4.8

EPSS Низкий

Описание

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf
Exploit
Vendor Advisory
https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*

Версия до 2.0-m4-2304 (исключая)

EPSS

Процентиль: 65%

0.00482

Низкий

3.5 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79

CWE-79

EPSS

Процентиль: 65%

0.00482

Низкий

3.5 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79

CWE-79