CVE-2024-23893 HIGH

CVE-2024-23893: Cross-Site Scripting (XSS) vulnerability in Cups Easy

Vendor Cups Easy

Product Cups Easy (Purchase & Inventory)

Weakness CWE-79 · XSS

Published January 26, 2024

Last update May 29, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentermodify.php, in the costcenterid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

Key dates

02Disclosure timeline

January 26, 2024 CVE published

May 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23893

Related vulnerabilities

CVE-2024-23893: Cross-Site Scripting (XSS) vulnerability in Cups Easy

01Description

02Disclosure timeline

03References

04Related CVE