CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25624 – iris-web vulnerable to Server Side Template Injection in reports
https://notcve.org/view.php?id=CVE-2024-25624
25 Apr 2024 — Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user ... • https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25640 – Improper Neutralization of Alternate XSS Syntax in iris-web
https://notcve.org/view.php?id=CVE-2024-25640
19 Feb 2024 — Iris is a web collaborative platform that helps incident responders share technical details during investigations. A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.4.0. The vulnerability may allow an attacker to inject malicious scripts into the application, which could then be executed when a user visits the affected locations. This could lead to unauthorized access, data theft, or other related malicious activities. An ... • https://github.com/dfir-iris/iris-web/security/advisories/GHSA-2xq6-qc74-w5vp • CWE-87: Improper Neutralization of Alternate XSS Syntax •