cvelistv5 - cve-2024-28034

CVE-2024-28034 (GCVE-0-2024-28034)

Vulnerability from cvelistv5

Published

2024-03-26 09:36

Modified

2024-11-05 14:33

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

Cross-site scripting (XSS)

Summary

Cross-site scripting vulnerability exists in Mini Thread Version 3.33βi. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using Mini Thread Version 3.33βi.

References

URL

Tags

https://jvn.jp/en/jp/JVN40523785/

Impacted products

	Vendor	Product	Version
	Flash CGI	Mini Thread	Version: Version 3.33βi

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-28034",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T17:46:35.446894Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T14:33:33.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:47.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN40523785/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mini Thread",
          "vendor": "Flash CGI",
          "versions": [
            {
              "status": "affected",
              "version": "Version 3.33\u03b2i"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability exists in Mini Thread Version 3.33\u03b2i. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using Mini Thread Version 3.33\u03b2i."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-26T09:36:04.246Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://jvn.jp/en/jp/JVN40523785/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-28034",
    "datePublished": "2024-03-26T09:36:04.246Z",
    "dateReserved": "2024-03-05T04:05:58.135Z",
    "dateUpdated": "2024-11-05T14:33:33.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://jvn.jp/en/jp/JVN40523785/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:47.636Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28034\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-16T17:46:35.446894Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-16T17:47:19.410Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Flash CGI\", \"product\": \"Mini Thread\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 3.33\\u03b2i\"}]}], \"references\": [{\"url\": \"https://jvn.jp/en/jp/JVN40523785/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cross-site scripting vulnerability exists in Mini Thread Version 3.33\\u03b2i. An arbitrary script may be executed on the web browser of the user accessing the website that uses the product. Note that the developer was unreachable, therefore, users should consider stop using Mini Thread Version 3.33\\u03b2i.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Cross-site scripting (XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2024-03-26T09:36:04.246Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28034\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-05T14:33:33.474Z\", \"dateReserved\": \"2024-03-05T04:05:58.135Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2024-03-26T09:36:04.246Z\", \"assignerShortName\": \"jpcert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cve-2024-28034

Vulnerability from jvndb

Published

2024-03-26 17:43

Modified

2024-03-26 17:43

Severity ?

6.1 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Mini Thread vulnerable to cross-site scripting

Details

Mini Thread <http://www.flashcgi.net/> provided by Flash CGI (according to the original report submitted by the reporter) is a CGI script for creating a bulletin board system (BBS). Mini Thread contains a cross-site scripting vulnerability (CWE-79). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 20, 2023, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Other and Information Security Early Warning Partnership Guideline have been satisfied. 1.The developer of the product is unreachable 2.Existence of vulnerability has been verified 3.Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4.There are no particular reasons that would make disclosure inappropriate

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN40523785/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-28034
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Flash CGI

Mini Thread

Show details on JVN DB website