PT-2024-27817 · Unknown · Wbsairback
Alejandro Amorín Niño
+3
·
Published
2024-04-15
·
Updated
2025-04-10
·
CVE-2024-3790
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WBSAirback version 21.02.04
Description
The issue is a stored Cross-Site Scripting (XSS) vulnerability. It occurs through the
/admin/SystemUsers endpoint, specifically in the login and description fields, and the passwd1 and passwd2 parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data.Recommendations
For WBSAirback version 21.02.04, consider disabling access to the
/admin/SystemUsers endpoint until a patch is available. As a temporary workaround, restrict the use of the login and description fields, and the passwd1 and passwd2 parameters to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wbsairback