CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45799 – Javascript Injection in Vending Info/Buyers Info Module in FluxCP
https://notcve.org/view.php?id=CVE-2024-45799
FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. • https://github.com/rathena/FluxCP/security/advisories/GHSA-xvqv-25vf-88g4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4421 – rAthena FluxCP Service Desk Image URL view.php cross site scripting
https://notcve.org/view.php?id=CVE-2022-4421
A vulnerability was found in rAthena FluxCP. It has been classified as problematic. Affected is an unknown function of the file themes/default/servicedesk/view.php of the component Service Desk Image URL Handler. The manipulation of the argument sslink leads to cross site scripting. It is possible to launch the attack remotely. • https://github.com/rathena/FluxCP/commit/8a39b2b2bf28353b3503ff1421862393db15aa7e https://vuldb.com/?id.215304 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •