Multiple vulnerabilities at Alma Devklan Blog
Posted date 19/03/2024
Identificador
INCIBE-2024-0148
Importance
3 - Medium
Affected Resources
Alma Blog, version 2.1.10 and prior.
Description
INCIBE has coordinated the publication of 3 medium severity vulnerabilities affecting Devklan's Alma Blog, a blogging platform mainly intended for the creation of websites, blogs or news or thematic communities, versions 2.1.10 and earlier, which have been discovered by David Utón Amaya.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2024-1144: 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | CWE-284.
- CVE-2024-1145: 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | CWE-204.
- CVE-2024-1146: 5.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | CWE-79.
Solution
Upgrade Alma Blog to version 2.2.
Detail
- CVE-2024-1144: improper access control vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an unauthenticated user to access the application's functionalities without the need for credentials.
- CVE-2024-1145: user enumeration vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow a remote user to retrieve all valid users registered in the application just by looking at the request response.
- CVE-2024-1146: Cross-Site Scripting vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an attacker to store a malicious JavaScript payload within the application by adding the payload to 'Community Description' or 'Community Rules'.
References list
Etiquetas