CVE-2024-23895 HIGH

CVE-2024-23895: Cross-Site Scripting (XSS) vulnerability in Cups Easy

Vendor Cups Easy
Product Cups Easy (Purchase & Inventory)
Weakness CWE-79 · XSS
Published February 2, 2024
Last update August 1, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationcreate.php, in the locationid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

Key dates

02Disclosure timeline

February 2, 2024 CVE published
August 1, 2024 Record updated