CVE-2024-36819 - Vulnerability Details - OpenCVE

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00217.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mapos Subscribe	Map-os Subscribe

Configuration 1 [-]

cpe:2.3:a:mapos:map-os:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929
https://github.com/RamonSilva20/mapos/tree/master

History

Thu, 03 Jul 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mapos Mapos map-os
CPEs		cpe:2.3:a:mapos:map-os::::::::
Vendors & Products		Mapos Mapos map-os

Fri, 01 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-06-25T00:00:00

Updated: 2024-11-01T15:28:51.878Z

Reserved: 2024-05-30T00:00:00

Link: CVE-2024-36819

Vulnrichment

Updated: 2024-08-02T03:43:49.158Z

NVD

Status : Analyzed

Published: 2024-06-25T19:15:11.837

Modified: 2025-07-03T16:28:57.487

Link: CVE-2024-36819

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36819", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-01T15:28:51.878Z", "dateReserved": "2024-05-30T00:00:00", "datePublished": "2024-06-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-25T18:45:44.653971"}, "descriptions": [{"lang": "en", "value": "MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the \"Client Name\" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/RamonSilva20/mapos/tree/master"}, {"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T20:34:15.998937Z", "id": "CVE-2024-36819", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T15:28:51.878Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.158Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/RamonSilva20/mapos/tree/master", "tags": ["x_transferred"]}, {"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/RamonSilva20/mapos/tree/master", "tags": ["x_transferred"]}, {"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.158Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-25T20:34:15.998937Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T20:34:20.245Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/RamonSilva20/mapos/tree/master"}, {"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929"}], "descriptions": [{"lang": "en", "value": "MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the \"Client Name\" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-25T18:45:44.653971"}}}, "cveMetadata": {"cveId": "CVE-2024-36819", "state": "PUBLISHED", "dateUpdated": "2024-11-01T15:28:51.878Z", "dateReserved": "2024-05-30T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-06-25T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mapos:map-os:*:*:*:*:*:*:*:*", "matchCriteriaId": "973182C1-3AA2-453F-ADF9-D1223CB11765", "versionEndIncluding": "4.45.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the \"Client Name\" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded."}, {"lang": "es", "value": "MAP-OS 4.45.0 y versiones anteriores son vulnerables a Cross-Site Scripting (XSS). Esta vulnerabilidad permite a usuarios malintencionados insertar un payload malicioso en la entrada \"Nombre del cliente\". Cuando se crea una orden de servicio de este cliente, el payload malicioso se muestra en los paneles de administrador y de empleado, lo que resulta en la ejecuci\u00f3n de scripts no autorizados cada vez que se carga el panel."}], "id": "CVE-2024-36819", "lastModified": "2025-07-03T16:28:57.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-25T19:15:11.837", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/RamonSilva20/mapos/tree/master"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/RamonSilva20/mapos/tree/master"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}