Múltiple vulnerabilities on Adive Framework

Posted date 30/04/2024

Importance

4 - High

Affected Resources

Adive Framework 2.0.8.

Description

INCIBE has coordinated the publication of 2 vulnerabilities that affects that affects Adive Framework, a web and admin panel generator, a great alternative to manage MySQL databases with custom User Interface, which has been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

CVE-2024-4336: 7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L | CWE-79
CVE-2024-4337: 7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L | CWE-79

Solution

There is no solution reported at the moment.

Detail

CVE-2024-4336: Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user.
CVE-2024-4337: Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user.

Etiquetas