CVE-2024-6892
Journyx Reflected Cross Site Scripting
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application.
Los atacantes pueden crear un enlace malicioso que, una vez hecho clic, ejecutará JavaScript arbitrario en el contexto de la aplicación web Journyx.
Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.
*Credits:
Jaggar Henry of KoreLogic, Inc.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-07-18 CVE Reserved
- 2024-08-07 CVE Published
- 2024-08-09 CVE Updated
- 2024-09-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-81: Improper Neutralization of Script in an Error Message Web Page
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://korelogic.com/Resources/Advisories/KL-001-2024-009.txt | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Journyx Search vendor "Journyx" | Journyx (jtime) Search vendor "Journyx" for product "Journyx (jtime)" | 11.5.4 Search vendor "Journyx" for product "Journyx (jtime)" and version "11.5.4" | en |
Affected
| ||||||