CVE-2024-23867 HIGH

CVE-2024-23867: Cross-Site Scripting (XSS) vulnerability in Cups Easy

Vendor Cups Easy

Product Cups Easy (Purchase & Inventory)

Weakness CWE-79 · XSS

Published January 26, 2024

Last update May 29, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statecreate.php, in the stateid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

Key dates

02Disclosure timeline

January 26, 2024 CVE published

May 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23867

Related vulnerabilities

04Related CVE

CVE-2023-7070 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-60146 WordPress Map Categories to Pages Plugin <= 1.3.2 - Cross Site Scripting (XSS) Vulnerability CVE-2020-37225 Powie's WHOIS Domain Check 0.9.31 Persistent Cross-Site Scripting CVE-2026-25343 WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-29796 WordPress Hot Random Image plugin <= 1.8.1 - Cross Site Scripting (XSS) vulnerability