CVE-2024-25974 Vulnerability Details

  /     /     /  

CVE-2024-25974 Metadata Quick Info

CVE Published: 20/02/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: SEC-VLab | Vendor: Frentix GmbH | Product: OpenOlat LMS
Status : PUBLISHED

CVE-2024-25974 Description

The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. It is possible to upload files within the Media Center of OpenOlat version 18.1.5 (or lower) as an authenticated user without any other rights. Although the filetypes are limited, an SVG image containing an XSS payload can be uploaded. After a successful upload the file can be shared with groups of users (including admins) who can be attacked with the JavaScript payload.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-20
CWE Name: CWE-20 Improper Input Validation
Source: Frentix GmbH

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-63
CAPEC Description: CAPEC-63 Cross-Site Scripting (XSS)


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2024-25974 Vulnerability Details