CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47826 – eLabFTW vulnerable to HTML Injection in extended search error message
https://notcve.org/view.php?id=CVE-2024-47826
eLabFTW is an open source electronic lab notebook for research labs. A vulnerability in versions prior to 5.1.5 allows an attacker to inject arbitrary HTML tags in the pages: "experiments.php" (show mode), "database.php" (show mode) or "search.php". It works by providing HTML code in the extended search string, which will then be displayed back to the user in the error message. This means that injected HTML will appear in a red "alert/danger" box, and be part of an error message. Due to some other security measures, it is not possible to execute arbitrary javascript from this attack. • https://github.com/elabftw/elabftw/security/advisories/GHSA-cjww-pr9f-4c4w https://www.acunetix.com/vulnerabilities/web/html-injection • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45408 – eLabFTW contains a direct and indirect information disclosure
https://notcve.org/view.php?id=CVE-2024-45408
eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel. • https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5 • CWE-284: Improper Access Control •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25632 – Unauthorised granting of administrator privileges over arbitrary teams under certain circumstances
https://notcve.org/view.php?id=CVE-2024-25632
eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. • https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg • CWE-266: Incorrect Privilege Assignment CWE-842: Placement of User into Incorrect Group •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28100 – Stored Cross-site Scripting leading to arbitrary actions taken on behalf of users in elabftw
https://notcve.org/view.php?id=CVE-2024-28100
eLabFTW is an open source electronic lab notebook for research labs. By uploading specially crafted files, a regular user can create a circumstance where a visitor's browser runs arbitrary JavaScript code in the context of the eLabFTW application. This can be triggered by the visitor viewing a list of experiments. Viewing this allows the malicious script to act on behalf of the visitor in any way, including the creation of API keys for persistence, or other options normally available to the user. If the user viewing the page has the sysadmin role in eLabFTW, the script can act as a sysadmin (including system configuration and extensive user management roles). • https://github.com/elabftw/elabftw/security/advisories/GHSA-xp3v-w8cx-cqxc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25633 – In eLabFTW, if administrators can create users, users can too
https://notcve.org/view.php?id=CVE-2024-25633
eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts in their team. If the system has anonymous access enabled (disabled by default) an unauthenticated user can create regular users in any team. This vulnerability has been fixed since version 5.0.0, released on February 17th 2024. • https://github.com/elabftw/elabftw/security/advisories/GHSA-v677-8x8p-636v • CWE-266: Incorrect Privilege Assignment •