CVE-2023-6769 - OpenCVE

Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the "lp_admin.php" file in the "question" and "item" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mr-corner	Amazing Little Poll

Configuration 1 [-]

OR	cpe:2.3:a:mr-corner:amazing_little_poll:1.3:::::::*
	cpe:2.3:a:mr-corner:amazing_little_poll:1.4:::::::*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-20T09:50:44.480Z

Updated: 2024-08-02T08:42:07.337Z

Reserved: 2023-12-13T11:43:04.671Z

Link: CVE-2023-6769

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-20T10:15:08.087

Modified: 2023-12-22T09:59:41.467

Link: CVE-2023-6769

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6769", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-13T11:43:04.671Z", "datePublished": "2023-12-20T09:50:44.480Z", "dateUpdated": "2024-08-02T08:42:07.337Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Amazing Little poll", "vendor": "Amazing Little poll", "versions": [{"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.4"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2023-12-13T12:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the \"lp_admin.php\" file in the \"question\" and \"item\" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading."}], "value": "Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the \"lp_admin.php\" file in the \"question\" and \"item\" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-20T09:50:44.480Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll"}], "source": {"discovery": "UNKNOWN"}, "title": "Stored XSS vulnerability in Amazing Little Poll", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:07.337Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mr-corner:amazing_little_poll:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "1E9D3BF2-8AF3-44D0-BF44-CFC2F235A129", "vulnerable": true}, {"criteria": "cpe:2.3:a:mr-corner:amazing_little_poll:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "E224C9C6-B463-4167-91E6-565DE9C5E1F7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the \"lp_admin.php\" file in the \"question\" and \"item\" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading."}, {"lang": "es", "value": "Vulnerabilidad XSS almacenado en Amazing Little Poll, que afecta a las versiones 1.3 y 1.4. Esta vulnerabilidad permite a un atacante remoto almacenar un payload de JavaScript malicioso en el archivo \"lp_admin.php\" en los par\u00e1metros \"question\" e \"item\". Esta vulnerabilidad podr\u00eda provocar la ejecuci\u00f3n maliciosa de JavaScript mientras se carga la p\u00e1gina."}], "id": "CVE-2023-6769", "lastModified": "2023-12-22T09:59:41.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-12-20T10:15:08.087", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}