Dot CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2024-3938 - Vulnerability Database

Dot CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2024-3938

Medium
Reference: CVE-2024-3938
Title: Dot CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

The quotreset passwordquot login page accepted an HTML injection via URL parameters. This has already been rectified via patch and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin//public/loginresetEmailSenttrueampresetEmail3Ch13E3Ca20href3D22https:2F2Fgoogle.com223ECLICK20ME3C2Fa3E3C2Fh13E This will result in a view along these lines: OWASP Top 10 - A03: Injection CVSS Score: 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:Namp... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator