CVE-2024-3938

Name of the Vulnerable Software and Affected Versions dotAdmin (affected versions not specified)

Description The "reset password" login page accepted an HTML injection via URL parameters. This issue has already been rectified via a patch. The vulnerability can be demonstrated by accessing the "http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E" endpoint, which results in an HTML injection. The issue is related to OWASP Top 10 - A03: Injection.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.