Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting in the Holded application

Posted date 22/04/2024
Identificador
INCIBE-2024-0203
Importance
3 - Medium
Affected Resources
  • Holded web application.
Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting the Holded application, a management software for SMEs and entrepreneurs, which has been discovered by Raúl Vega Arjona, from Hispasec Sistemas.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-4026: 4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CWE-79 
Solution

Vulnerability fixed in version 4.20.0.

Detail

CVE-2024-4026: Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover.

References list
Holded website
Etiquetas