CVE-2024-23906 MEDIUM

CVE-2024-23906

Vendor Gallagher
Product Controller 6000 and Controller 7000
Weakness CWE-79 · XSS
Published September 11, 2024
Last update September 11, 2024
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.

Key dates

02Disclosure timeline

September 11, 2024 CVE published
September 11, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-11880 SM CountDown Widget <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-48131 WordPress UltraAddons Elementor Lite plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability CVE-2023-6684 Ibtana – WordPress Website Builder <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-8777 planetcalc <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter CVE-2026-47958 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)