cve-2024-40875
Vulnerability from cvelistv5
Published
2024-12-20 20:17
Modified
2024-12-20 20:17
Severity ?
EPSS score ?
Summary
There is a cross-site scripting vulnerability in the
management console of Absolute Secure Access prior to version 13.52. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second administrator logs
in. Attack complexity is high, attack requirements are present, privileges
required are high, user interaction required is none. The impact to
confidentiality is none, the impact to availability is low, and the impact to
system integrity is high.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Absolute Software | Secure Access |
Version: 0 |
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "Management Console" ], "product": "Secure Access", "vendor": "Absolute Software", "versions": [ { "lessThan": "13.52", "status": "affected", "version": "0", "versionType": "Server" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high. \u003c/p\u003e" } ], "value": "There is a cross-site scripting vulnerability in the\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\nwith system administrator permissions can interfere with another system\nadministrator\u2019s use of the management console when the second administrator logs\nin. Attack complexity is high, attack requirements are present, privileges\nrequired are high, user interaction required is none. The impact to\nconfidentiality is none, the impact to availability is low, and the impact to\nsystem integrity is high." } ], "impacts": [ { "capecId": "CAPEC-63", "descriptions": [ { "lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 5.9, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-20T20:17:27.132Z", "orgId": "b6533044-ea05-4482-8458-7bddeca0d079", "shortName": "Absolute" }, "references": [ { "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Cross-site scripting vulnerability in the Secure Access administrative console prior to 13.52", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079", "assignerShortName": "Absolute", "cveId": "CVE-2024-40875", "datePublished": "2024-12-20T20:17:27.132Z", "dateReserved": "2024-07-10T20:40:17.120Z", "dateUpdated": "2024-12-20T20:17:27.132Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-40875\",\"sourceIdentifier\":\"SecurityResponse@netmotionsoftware.com\",\"published\":\"2024-12-20T21:15:08.290\",\"lastModified\":\"2024-12-20T21:15:08.290\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a cross-site scripting vulnerability in the\\nmanagement console of Absolute Secure Access prior to version 13.52. Attackers\\nwith system administrator permissions can interfere with another system\\nadministrator\u2019s use of the management console when the second administrator logs\\nin. Attack complexity is high, attack requirements are present, privileges\\nrequired are high, user interaction required is none. The impact to\\nconfidentiality is none, the impact to availability is low, and the impact to\\nsystem integrity is high.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"LOW\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"SecurityResponse@netmotionsoftware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1352/\",\"source\":\"SecurityResponse@netmotionsoftware.com\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.