Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 16 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Payara
Payara payara
CPEs cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*
cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*
Vendors & Products Payara
Payara payara
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}


Tue, 08 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Payara Platform
Payara Platform payara Server
CPEs cpe:2.3:a:payara_platform:payara_server:*:*:*:*:*:*:*:*
Vendors & Products Payara Platform
Payara Platform payara Server
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 08 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
Title Payload Injection Attack via Management REST interface
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Payara

Published:

Updated: 2024-10-08T16:24:35.824Z

Reserved: 2024-08-27T11:51:30.618Z

Link: CVE-2024-8215

cve-icon Vulnrichment

Updated: 2024-10-08T16:24:30.556Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-08T16:15:13.380

Modified: 2024-10-16T17:58:52.013

Link: CVE-2024-8215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.