{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-40111", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-26T16:41:30.860Z", "dateReserved": "2024-07-05T00:00:00.000Z", "datePublished": "2024-08-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-23T20:59:40.419Z"}, "descriptions": [{"lang": "en", "value": "A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/w3bn00b3r/Stored-Cross-Site-Scripting-XSS---Automad-2.0.0-alpha.4/"}, {"url": "https://drive.google.com/file/d/10BVQKYo2H1-Nx3FOGteL2xww4lbZ3xlS/view?usp=sharing"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "affected": [{"vendor": "automad", "product": "automad", "cpes": ["cpe:2.3:a:automad:automad:2.0.0-alpha.4:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0.0-alpha.4", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-26T16:14:59.140048Z", "id": "CVE-2024-40111", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T16:41:30.860Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-40111", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-26T16:14:59.140048Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:automad:automad:2.0.0-alpha.4:*:*:*:*:*:*:*"], "vendor": "automad", "product": "automad", "versions": [{"status": "affected", "version": "2.0.0-alpha.4"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T16:17:06.389Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/w3bn00b3r/Stored-Cross-Site-Scripting-XSS---Automad-2.0.0-alpha.4/"}, {"url": "https://drive.google.com/file/d/10BVQKYo2H1-Nx3FOGteL2xww4lbZ3xlS/view?usp=sharing"}], "descriptions": [{"lang": "en", "value": "A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-23T20:59:40.419Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40111", "state": "PUBLISHED", "dateUpdated": "2024-08-26T16:41:30.860Z", "dateReserved": "2024-07-05T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-08-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automad:automad:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "D79102BB-6E1E-4368-BEF7-7E2D0DE517BB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de cross site scripting (XSS) persistente (almacenado) en Automad 2.0.0-alpha.4. Esta vulnerabilidad permite a un atacante inyectar c\u00f3digo JavaScript malicioso en el cuerpo de la plantilla. El c\u00f3digo inyectado se almacena dentro del archivo plano CMS y se ejecuta en el navegador de cualquier usuario que visite el foro."}], "id": "CVE-2024-40111", "lastModified": "2025-04-21T14:38:21.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-08-23T21:15:07.320", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://drive.google.com/file/d/10BVQKYo2H1-Nx3FOGteL2xww4lbZ3xlS/view?usp=sharing"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/w3bn00b3r/Stored-Cross-Site-Scripting-XSS---Automad-2.0.0-alpha.4/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}