Lucene search

[email protected]CVE-2023-7035

HistoryDec 21, 2023 - 3:15 p.m.

CVE-2023-7035

2023-12-2115:15:13

CWE-79

[email protected]

web.nvd.nist.gov

automad

1.10.9

file packages

standard

templates

post.php

cross site scripting

vulnerability

vdb-248684

nvd

cve-2023-7035

3.3 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:M/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.2%

JSON

A vulnerability was found in automad up to 1.10.9 and classified as problematic. Affected by this issue is some unknown functionality of the file packages\standard\templates\post.php of the component Setting Handler. The manipulation of the argument sitename leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248684. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected configurations

Vulners

NVD

Node

automadautomadMatch1.10.0

automadautomadMatch1.10.1

automadautomadMatch1.10.2

automadautomadMatch1.10.3

automadautomadMatch1.10.4

automadautomadMatch1.10.5

automadautomadMatch1.10.6

automadautomadMatch1.10.7

automadautomadMatch1.10.8

automadautomadMatch1.10.9

VendorProductVersionCPE
automadautomad1.10.0cpe:2.3:a:automad:automad:1.10.0:*:*:*:*:*:*:*
automadautomad1.10.1cpe:2.3:a:automad:automad:1.10.1:*:*:*:*:*:*:*
automadautomad1.10.2cpe:2.3:a:automad:automad:1.10.2:*:*:*:*:*:*:*
automadautomad1.10.3cpe:2.3:a:automad:automad:1.10.3:*:*:*:*:*:*:*
automadautomad1.10.4cpe:2.3:a:automad:automad:1.10.4:*:*:*:*:*:*:*
automadautomad1.10.5cpe:2.3:a:automad:automad:1.10.5:*:*:*:*:*:*:*
automadautomad1.10.6cpe:2.3:a:automad:automad:1.10.6:*:*:*:*:*:*:*
automadautomad1.10.7cpe:2.3:a:automad:automad:1.10.7:*:*:*:*:*:*:*
automadautomad1.10.8cpe:2.3:a:automad:automad:1.10.8:*:*:*:*:*:*:*
automadautomad1.10.9cpe:2.3:a:automad:automad:1.10.9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
automad	automad	1.10.0	cpe:2.3:a:automad:automad:1.10.0:::::::*
automad	automad	1.10.1	cpe:2.3:a:automad:automad:1.10.1:::::::*
automad	automad	1.10.2	cpe:2.3:a:automad:automad:1.10.2:::::::*
automad	automad	1.10.3	cpe:2.3:a:automad:automad:1.10.3:::::::*
automad	automad	1.10.4	cpe:2.3:a:automad:automad:1.10.4:::::::*
automad	automad	1.10.5	cpe:2.3:a:automad:automad:1.10.5:::::::*
automad	automad	1.10.6	cpe:2.3:a:automad:automad:1.10.6:::::::*
automad	automad	1.10.7	cpe:2.3:a:automad:automad:1.10.7:::::::*
automad	automad	1.10.8	cpe:2.3:a:automad:automad:1.10.8:::::::*
automad	automad	1.10.9	cpe:2.3:a:automad:automad:1.10.9:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "automad",
    "versions": [
      {
        "version": "1.10.0",
        "status": "affected"
      },
      {
        "version": "1.10.1",
        "status": "affected"
      },
      {
        "version": "1.10.2",
        "status": "affected"
      },
      {
        "version": "1.10.3",
        "status": "affected"
      },
      {
        "version": "1.10.4",
        "status": "affected"
      },
      {
        "version": "1.10.5",
        "status": "affected"
      },
      {
        "version": "1.10.6",
        "status": "affected"
      },
      {
        "version": "1.10.7",
        "status": "affected"
      },
      {
        "version": "1.10.8",
        "status": "affected"
      },
      {
        "version": "1.10.9",
        "status": "affected"
      }
    ],
    "modules": [
      "Setting Handler"
    ]
  }
]

References

github.com/screetsec/VDD/tree/main/Automad%20CMS/Stored%20Cross%20Site%20Scripting%20(XSS)

vuldb.com/?ctiid.248684

vuldb.com/?id.248684

3.3 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:M/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.2%

JSON

Related for CVE-2023-7035

github1 nvd1 osv2 cvelist1 prion1