Description
Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code.
If an admin views the ticket, the script might perform actions with their privileges, including command execution. 
This issue has been fixed in version 1.668 of DirectAdmin Evolution Skin.
Published: 2024-12-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-33583 Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including command execution.  This issue has been fixed in version 1.668 of DirectAdmin Evolution Skin.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00209}

epss

{'score': 0.0027}


Fri, 20 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 20 Dec 2024 16:00:00 +0000

Type Values Removed Values Added
Description Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including command execution.  This issue has been fixed in version 1.668 of DirectAdmin Evolution Skin.
Title Stored XSS in DirectAdmin Evo Skin
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2024-12-20T16:48:15.413Z

Reserved: 2024-10-25T12:33:19.549Z

Link: CVE-2024-10385

cve-icon Vulnrichment

Updated: 2024-12-20T16:48:07.360Z

cve-icon NVD

Status : Deferred

Published: 2024-12-20T16:15:21.523

Modified: 2026-06-17T06:55:31.970

Link: CVE-2024-10385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')