Múltiple vulnerabilities on Adive Framework
Posted date 30/04/2024
Identificador
INCIBE-2024-0216
Importance
4 - High
Affected Resources
Adive Framework 2.0.8.
Description
INCIBE has coordinated the publication of 2 vulnerabilities that affects that affects Adive Framework, a web and admin panel generator, a great alternative to manage MySQL databases with custom User Interface, which has been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:
- CVE-2024-4336: 7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L | CWE-79
- CVE-2024-4337: 7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L | CWE-79
Solution
There is no solution reported at the moment.
Detail
- CVE-2024-4336: Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/tables/add, in multiple parameters. An attacker could retrieve the session details of an authenticated user.
- CVE-2024-4337: Adive Framework 2.0.8, does not sufficiently encode user-controlled inputs, resulting in a persistent Cross-Site Scripting (XSS) vulnerability via the /adive/admin/nav/add, in multiple parameters. This vulnerability allows an attacker to retrieve the session details of an authenticated user.
Etiquetas