CVE-2024-5410 - Vulnerability Details - OpenCVE

Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00664.

Key SSVC decision points have not yet been added.

Vendors	Products
Oringnet	Iap-420 Iap-420 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:oringnet:iap-420_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:oringnet:iap-420:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-46632	Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/May/36
https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/

History

Wed, 29 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oringnet Oringnet iap-420 Oringnet iap-420 Firmware
CPEs		cpe:2.3:h:oringnet:iap-420:-:::::::* cpe:2.3:o:oringnet:iap-420_firmware::::::::
Vendors & Products		Oringnet Oringnet iap-420 Oringnet iap-420 Firmware
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: CyberDanube

Published: 2024-05-28T10:23:16.991Z

Updated: 2025-02-13T17:54:08.981Z

Reserved: 2024-05-27T08:36:53.398Z

Link: CVE-2024-5410

Vulnrichment

Updated: 2024-08-01T21:11:12.769Z

NVD

Status : Analyzed

Published: 2024-05-28T11:15:10.327

Modified: 2025-10-29T14:02:03.710

Link: CVE-2024-5410

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5410", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "state": "PUBLISHED", "assignerShortName": "CyberDanube", "dateReserved": "2024-05-27T08:36:53.398Z", "datePublished": "2024-05-28T10:23:16.991Z", "dateUpdated": "2025-02-13T17:54:08.981Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IAP-420", "vendor": "ORing", "versions": [{"lessThanOrEqual": "2.01e", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).<p>This issue affects IAP-420 version 2.01e and below.</p>"}], "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-06-10T16:12:20.810Z"}, "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}, {"url": "http://seclists.org/fulldisclosure/2024/May/36"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:05:00.861450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:02:51.184Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.769Z"}, "title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/36", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/36", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.769Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:05:00.861450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T18:05:05.974Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Stored Cross-Site Scripting", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "T. Weber"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ORing", "product": "IAP-420", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.01e"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}, {"url": "http://seclists.org/fulldisclosure/2024/May/36"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below.", "supportingMedia": [{"type": "text/html", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).<p>This issue affects IAP-420 version 2.01e and below.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "shortName": "CyberDanube", "dateUpdated": "2024-05-28T10:23:16.991Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5410", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.769Z", "dateReserved": "2024-05-27T08:36:53.398Z", "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc", "datePublished": "2024-05-28T10:23:16.991Z", "assignerShortName": "CyberDanube"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oringnet:iap-420_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "88C6CBC9-A0A2-43B3-94B6-600185040FE4", "versionEndIncluding": "2.01e", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oringnet:iap-420:-:*:*:*:*:*:*:*", "matchCriteriaId": "11AA2B35-558A-4094-96FD-5A96F5B3B845", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing input validation in the ORing IAP-420 web-interface allows stored Cross-Site Scripting (XSS).This issue affects IAP-420 version 2.01e and below."}, {"lang": "es", "value": "La falta de validaci\u00f3n de entrada en la interfaz web ORing del IAP-420 permite el almacenamiento de Cross-site scripting (XSS). Este problema afecta a la versi\u00f3n 2.01e y anteriores del IAP-420."}], "id": "CVE-2024-5410", "lastModified": "2025-10-29T14:02:03.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "office@cyberdanube.com", "type": "Secondary"}]}, "published": "2024-05-28T11:15:10.327", "references": [{"source": "office@cyberdanube.com", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2024/May/36"}, {"source": "office@cyberdanube.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2024/May/36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-oring-iap420/"}], "sourceIdentifier": "office@cyberdanube.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "office@cyberdanube.com", "type": "Secondary"}]}