CVE-2024-36498

Published Dec 12, 2024

Last updated 2 months ago

CVSS medium 4.7

Overview

Description
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
4.7
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Severity
MEDIUM

Weaknesses

551230f0-3615-47bd-b7cc-93e92e730bbf
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2024-36498 SEC Consult SA-20241204-0 : Multiple Critical Vulnerabilities in Image ... https://t.co/I8Fi0RXTbp Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    5 Dec 2024

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References