CVE-2024-25627

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf

Configurations

No configuration.

History

No history.

Information

Published : 2024-02-16 21:15

Updated : 2024-02-16 21:39

NVD link : CVE-2024-25627

Mitre link : CVE-2024-25627

CVE.ORG link : CVE-2024-25627

JSON object : View

Products Affected

No product.

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3.5 /10