CVE-2024-25627 LOW

CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload in Alf.io

Vendor Alfio-Event

Product alf.io

Weakness CWE-79 · XSS

Published February 16, 2024

Last update August 26, 2024

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 16, 2024 CVE published

August 26, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-25627

Related vulnerabilities

CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload in Alf.io

01Description

02Disclosure timeline

03References

04Related CVE