CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40347
https://notcve.org/view.php?id=CVE-2024-40347
20 Jul 2024 — A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid. Una vulnerabilidad reflejada de Cross Site Scripting (XSS) en Hyland Alfresco Platform 23.2.1-r96 permite a los atacantes ejecutar código arbitrario en el contexto del navegador de un usuario mediante la inyección de un payload manipulado en el parámetro htmlid. • https://github.com/4rdr/proofs/blob/main/info/Alfresco_Reflected_XSS_via_htmlid_parameter.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 1CVE-2023-49964
https://notcve.org/view.php?id=CVE-2023-49964
11 Dec 2023 — An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873. Se descubrió un problema en Hyland Alfresco Community Edition hasta 7.2.0. Al insertar contenido malicioso en el archi... • https://github.com/mbadanoiu/CVE-2023-49964 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •