CVE-2024-2594 HIGH

CVE-2024-2594: Cross-Site Scripting (XSS) in AMSS++

Vendor Amssplus

Product AMSS++

Weakness CWE-79 · XSS

Published March 18, 2024

Last update August 1, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/admin/index.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.

Key dates

02Disclosure timeline

March 18, 2024 CVE published

August 1, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-2594 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-8474 Possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances. CVE-2024-10878 Sugar Calendar (Lite) <= 3.3.0 - Reflected Cross-Site Scripting CVE-2024-4482 The Plus Addons for Elementor <= 5.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget CVE-2024-7660 SourceCodester File Manager App Add File cross site scripting CVE-2021-1239 Cisco Firepower Management Center Stored Cross-Site Scripting Vulnerabilities