CVE-2024-25627

Published: Feb 16, 2024

Modified: Aug 26, 2024

PUBLISHED

CVSS v3.1

3.5

LOW

Description

Alf.io is a free and open source event attendance management system. An administrator on the alf.io application is able to upload HTML files that trigger JavaScript payloads. As such, an attacker gaining administrative access to the alf.io application may be able to persist access by planting an XSS payload. This issue has been addressed in version 2.0-M4-2402. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
alfio-event	alf.io	affected `< 2.0-M4-2304`

Weaknesses (CWE)

CWE-79

CWE-434

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/alfio-event/alf.io/security/advisories/GHSA-gpmg-8f92-37cf

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-25627

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References