CVE-2024-3796 - Vulnerability Details - OpenCVE

Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00116.

Key SSVC decision points have not yet been added.

Vendors	Products
Whitebearsolutions	Wbsairback

Configuration 1 [-]

cpe:2.3:a:whitebearsolutions:wbsairback:21.02.04:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

The vulnerability has been fixed by the White Bear Solutions team in version 21.05.00.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions

History

Thu, 27 Feb 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Whitebearsolutions Whitebearsolutions wbsairback
CPEs		cpe:2.3:a:whitebearsolutions:wbsairback:21.02.04:::::::*
Vendors & Products		Whitebearsolutions Whitebearsolutions wbsairback

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-04-15T14:15:20.141Z

Updated: 2024-08-01T20:20:02.125Z

Reserved: 2024-04-15T10:19:03.342Z

Link: CVE-2024-3796

Vulnrichment

Updated: 2024-08-01T20:20:02.125Z

NVD

Status : Undergoing Analysis

Published: 2024-05-14T15:42:20.967

Modified: 2025-04-10T19:54:51.197

Link: CVE-2024-3796

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3796", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-04-15T10:19:03.342Z", "datePublished": "2024-04-15T14:15:20.141Z", "dateUpdated": "2024-08-01T20:20:02.125Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "White Bear Solutions", "vendor": "WBSAirback", "versions": [{"status": "affected", "version": "21.02.04"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Alejandro Amor\u00edn Ni\u00f1o"}, {"lang": "en", "type": "finder", "value": "Guillermo Tuvilla G\u00f3mez"}, {"lang": "en", "type": "finder", "value": "Sergio Rom\u00e1n Hurtado"}], "datePublic": "2024-04-15T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data."}], "value": "Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-04-15T14:15:20.141Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability has been fixed by the White Bear Solutions team in version 21.05.00."}], "value": "The vulnerability has been fixed by the White Bear Solutions team in version 21.05.00."}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-site Scripting vulnerability in WBSAirback", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-15T19:39:17.849999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:31:49.255Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:02.125Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:02.125Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-15T19:39:17.849999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:17.155Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Cross-site Scripting vulnerability in WBSAirback", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Alejandro Amor\u00edn Ni\u00f1o"}, {"lang": "en", "type": "finder", "value": "Guillermo Tuvilla G\u00f3mez"}, {"lang": "en", "type": "finder", "value": "Sergio Rom\u00e1n Hurtado"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WBSAirback", "product": "White Bear Solutions", "versions": [{"status": "affected", "version": "21.02.04"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been fixed by the White Bear Solutions team in version 21.05.00.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been fixed by the White Bear Solutions team in version 21.05.00.", "base64": false}]}], "datePublic": "2024-04-15T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-04-15T14:15:20.141Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3796", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:20:02.125Z", "dateReserved": "2024-04-15T10:19:03.342Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-04-15T14:15:20.141Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whitebearsolutions:wbsairback:21.02.04:*:*:*:*:*:*:*", "matchCriteriaId": "8B16A4DD-68FD-4E8E-B775-83CAA5F0E469", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/BackupSchedule, description field. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data."}, {"lang": "es", "value": "Vulnerabilidad en WBSAirback 21.02.04, que consiste en un Cross-Site Scripting (XSS) almacenado a trav\u00e9s de /admin/BackupSchedule, campo de descripci\u00f3n. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir que un usuario remoto env\u00ede una URL especialmente manipulada a la v\u00edctima y robe los datos de su sesi\u00f3n."}], "id": "CVE-2024-3796", "lastModified": "2025-04-10T19:54:51.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-14T15:42:20.967", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}