CVE-2023-5811

flusity CMS posts.php loadPostAddForm cross site scripting

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A vulnerability, which was classified as problematic, was found in flusity CMS. Affected is the function loadPostAddForm of the file core/tools/posts.php. The manipulation of the argument menu_id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 6943991c62ed87c7a57989a0cb7077316127def8. It is recommended to apply a patch to fix this issue. VDB-243642 is the identifier assigned to this vulnerability.

Una vulnerabilidad fue encontrada en flusity CMS y clasificada como problemática. La función loadPostAddForm del archivo core/tools/posts.php es afectada por la vulnerabilidad. La manipulación del argumento menu_id conduce a cross site scripting. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. Este producto utiliza entrega continua con lanzamientos continuos. Por lo tanto, no hay detalles disponibles de las versiones afectadas ni actualizadas. El parche se identifica como 6943991c62ed87c7a57989a0cb7077316127def8. Se recomienda aplicar un parche para solucionar este problema. VDB-243642 es el identificador asignado a esta vulnerabilidad.

Es wurde eine Schwachstelle in flusity CMS gefunden. Sie wurde als problematisch eingestuft. Es geht dabei um die Funktion loadPostAddForm der Datei core/tools/posts.php. Durch die Manipulation des Arguments menu_id mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung. Dieses Produkt verzichtet auf eine Versionierung und verwendet stattdessen Rolling Releases. Deshalb sind keine Details zu betroffenen oder zu aktualisierende Versionen vorhanden. Der Patch wird als 6943991c62ed87c7a57989a0cb7077316127def8 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.

*Credits: zihe

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Multiple

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-26 CVE Reserved
2023-10-27 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-09-26 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/flusity/flusity-CMS/issues/3	2024-08-02

URL	Date	SRC
https://github.com/flusity/flusity-CMS/commit/6943991c62ed87c7a57989a0cb7077316127def8	2024-06-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Flusity Search vendor "Flusity"		Flusity Search vendor "Flusity" for product "Flusity"				<= 2.304 Search vendor "Flusity" for product "Flusity" and version " <= 2.304"		-		Affected