CVE-2024-6050 - Vulnerability Details - OpenCVE

Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01524.

Key SSVC decision points have not yet been added.

Vendors	Products
Sokrates	Sowa Opac

Configuration 1 [-]

OR	cpe:2.3:a:sokrates:sowa_opac::::::::
	cpe:2.3:a:sokrates:sowa_opac::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert.pl/en/posts/2024/07/CVE-2024-6050/
https://cert.pl/posts/2024/07/CVE-2024-6050/

History

Thu, 15 Aug 2024 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sokrates Sokrates sowa Opac
CPEs		cpe:2.3:a:sokrates:sowa_opac::::::::
Vendors & Products		Sokrates Sokrates sowa Opac
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-07-01T13:40:48.134Z

Updated: 2024-08-01T21:25:03.198Z

Reserved: 2024-06-17T09:13:23.481Z

Link: CVE-2024-6050

Vulnrichment

Updated: 2024-08-01T21:25:03.198Z

NVD

Status : Modified

Published: 2024-07-01T14:15:05.893

Modified: 2024-11-21T09:48:50.687

Link: CVE-2024-6050

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6050", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-06-17T09:13:23.481Z", "datePublished": "2024-07-01T13:40:48.134Z", "dateUpdated": "2024-08-01T21:25:03.198Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SOWA OPAC", "vendor": "SOKRATES-software", "versions": [{"lessThan": "4.9.10", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThan": "6.2.12", "status": "affected", "version": "5.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kacper Rybczy\u0144ski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). <span style=\"background-color: rgb(252, 252, 252);\">An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. </span><p>This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS).\u00a0An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.\u00a0This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/U:Green", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-07-01T13:40:48.134Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/"}, {"tags": ["vendor-advisory"], "url": "https://cert.pl/posts/2024/07/CVE-2024-6050/"}], "source": {"discovery": "UNKNOWN"}, "title": "Reflected XSS in SOWA OPAC", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "sokrates", "product": "sowa_opac", "cpes": ["cpe:2.3:a:sokrates:sowa_opac:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "4.0", "status": "affected", "lessThan": "4.9.10", "versionType": "custom"}, {"version": "5.0", "status": "affected", "lessThan": "6.2.12", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T14:31:25.539482Z", "id": "CVE-2024-6050", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T14:42:33.460Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:25:03.198Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/07/CVE-2024-6050/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/07/CVE-2024-6050/", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:25:03.198Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-02T14:31:25.539482Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sokrates:sowa_opac:*:*:*:*:*:*:*:*"], "vendor": "sokrates", "product": "sowa_opac", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.9.10", "versionType": "custom"}, {"status": "affected", "version": "5.0", "lessThan": "6.2.12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T14:36:39.755Z"}}], "cna": {"title": "Reflected XSS in SOWA OPAC", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kacper Rybczy\u0144ski"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/AU:Y/R:A/U:Green", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SOKRATES-software", "product": "SOWA OPAC", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.9.10", "versionType": "custom"}, {"status": "affected", "version": "5.0", "lessThan": "6.2.12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/", "tags": ["vendor-advisory"]}, {"url": "https://cert.pl/posts/2024/07/CVE-2024-6050/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS).\u00a0An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.\u00a0This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS). <span style=\"background-color: rgb(252, 252, 252);\">An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. </span><p>This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-07-01T13:40:48.134Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6050", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:25:03.198Z", "dateReserved": "2024-06-17T09:13:23.481Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-07-01T13:40:48.134Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sokrates:sowa_opac:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF0045B8-0040-4270-9AF8-F72CFCEAF07D", "versionEndExcluding": "4.9.10", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sokrates:sowa_opac:*:*:*:*:*:*:*:*", "matchCriteriaId": "562ACEC4-A802-4A0C-BE9E-ECEDE028E52C", "versionEndExcluding": "6.2.12", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation vulnerability in SOKRATES-software SOWA OPAC allows a Reflected Cross-Site Scripting (XSS).\u00a0An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.\u00a0This issue affects SOWA OPAC software in versions from 4.0 before 4.9.10, from 5.0 before 6.2.12."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web en el software SOKRATES SOWA OPAC permite un Cross-Site Scripting (XSS) Reflejado. Un atacante podr\u00eda enga\u00f1ar a alguien para que utilice una URL manipulada, lo que provocar\u00e1 que se ejecute un script en el navegador del usuario. Este problema afecta al software SOWA OPAC en las versiones 4.0 anteriores a la 4.9.10 y 5.0 anteriores a la 6.2.12."}], "id": "CVE-2024-6050", "lastModified": "2024-11-21T09:48:50.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "recovery": "AUTOMATIC", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:Green", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2024-07-01T14:15:05.893", "references": [{"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/07/CVE-2024-6050/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/07/CVE-2024-6050/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/07/CVE-2024-6050/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cvd@cert.pl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}