CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21504
https://notcve.org/view.php?id=CVE-2024-21504
19 Mar 2024 — Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it. Las versiones del paquete livewire/livewire desde 3.3.5 y anteriores a 3.4.9 son vulnerables a Cross-site Scripting (XSS) cuando una página usa [Url] para una propiedad. Un atacante puede inyectar código HTML en... • https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22859
https://notcve.org/view.php?id=CVE-2024-22859
01 Feb 2024 — Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en livewire anterior a v3.0.4, permite a atacantes remotos ejecutar código arbitrario en la función getCsrfToken. • https://github.com/github/advisory-database/pull/3490 • CWE-352: Cross-Site Request Forgery (CSRF) •