CVE-2024-7875 MEDIUM

CVE-2024-7875: XSS in Tungsten Automation TotalAgility

Vendor Tungsten Automation
Product TotalAgility
Weakness CWE-79 · XSS
Published December 6, 2024
Last update December 10, 2024
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Tungsten Automation (Kofax) TotalAgility in versions all through 7.9.0.25.0.954 is vulnerable to a Reflected XSS attacks through mfpScreenResolutionWidth parameter manipulation in a form sent to an endpoint /TotalAgility/Kofax/BrowserDevice/ScanFront.aspx This allows for injection of a malicious JavaScript code, leading to a possible information leak.  Exploitation is possible only while using POST requests and also requires retrieving/generating a proper VIEWSTATE parameter, which limits the risk of a successful attack.

Key dates

02Disclosure timeline

December 6, 2024 CVE published
December 10, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2014-125027 Yuna Scatari TBDev usersearch.php get_user_icons cross site scripting CVE-2023-45835 WordPress Libsyn Publisher Hub Plugin <= 1.4.4 is vulnerable to Cross Site Scripting (XSS) CVE-2021-24362 Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG CVE-2025-13739 CryptX <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-6807 GeneratePress Premium <= 2.3.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta