Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities found for DirectAdmin Evolution Skin by DirectAdmin

    CVE-2024-10385 (GCVE-0-2024-10385)

    Vulnerability from nvd – Published: 2024-12-20 15:52 – Updated: 2024-12-20 16:48
    VLAI
    Title
    Stored XSS in DirectAdmin Evo Skin
    Summary
    Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including command execution.  This issue has been fixed in version 1.668 of DirectAdmin Evolution Skin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    DirectAdmin DirectAdmin Evolution Skin Affected: 0 , < 1.668 (custom)
    Create a notification for this product.
    Date Public
    2024-12-20 11:00
    Credits
    Dariusz Gońda
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T16:47:57.102268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T16:48:15.413Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DirectAdmin Evolution Skin",
              "vendor": "DirectAdmin",
              "versions": [
                {
                  "lessThan": "1.668",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dariusz Go\u0144da"
            }
          ],
          "datePublic": "2024-12-20T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code.\u003cbr\u003eIf an admin views the ticket, the script might perform actions with their privileges, including command execution.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue has been fixed in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eversion 1.668 of\u003c/span\u003e DirectAdmin Evolution Skin.\u003c/p\u003e"
                }
              ],
              "value": "Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code.\nIf an admin views the ticket, the script might perform actions with their privileges, including command execution.\u00a0\nThis issue has been fixed in\u00a0version 1.668 of DirectAdmin Evolution Skin."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            },
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-20T15:52:26.083Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2024/12/CVE-2024-10385"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.directadmin.com/evolution.php"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored XSS in DirectAdmin Evo Skin",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2024-10385",
        "datePublished": "2024-12-20T15:52:26.083Z",
        "dateReserved": "2024-10-25T12:33:19.549Z",
        "dateUpdated": "2024-12-20T16:48:15.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-10385 (GCVE-0-2024-10385)

    Vulnerability from cvelistv5 – Published: 2024-12-20 15:52 – Updated: 2024-12-20 16:48
    VLAI
    Title
    Stored XSS in DirectAdmin Evo Skin
    Summary
    Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including command execution.  This issue has been fixed in version 1.668 of DirectAdmin Evolution Skin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    DirectAdmin DirectAdmin Evolution Skin Affected: 0 , < 1.668 (custom)
    Create a notification for this product.
    Date Public
    2024-12-20 11:00
    Credits
    Dariusz Gońda
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T16:47:57.102268Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T16:48:15.413Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DirectAdmin Evolution Skin",
              "vendor": "DirectAdmin",
              "versions": [
                {
                  "lessThan": "1.668",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dariusz Go\u0144da"
            }
          ],
          "datePublic": "2024-12-20T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code.\u003cbr\u003eIf an admin views the ticket, the script might perform actions with their privileges, including command execution.\u0026nbsp;\u003cbr\u003e\u003cp\u003eThis issue has been fixed in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eversion 1.668 of\u003c/span\u003e DirectAdmin Evolution Skin.\u003c/p\u003e"
                }
              ],
              "value": "Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code.\nIf an admin views the ticket, the script might perform actions with their privileges, including command execution.\u00a0\nThis issue has been fixed in\u00a0version 1.668 of DirectAdmin Evolution Skin."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            },
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-20T15:52:26.083Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2024/12/CVE-2024-10385"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.directadmin.com/evolution.php"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored XSS in DirectAdmin Evo Skin",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2024-10385",
        "datePublished": "2024-12-20T15:52:26.083Z",
        "dateReserved": "2024-10-25T12:33:19.549Z",
        "dateUpdated": "2024-12-20T16:48:15.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }