Dot CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2024-3938
The quotreset passwordquot login page accepted an HTML injection via URL parameters. This has already been rectified via patch and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin//public/loginresetEmailSenttrueampresetEmail3Ch13E3Ca20href3D22https:2F2Fgoogle.com223ECLICK20ME3C2Fa3E3C2Fh13E This will result in a view along these lines: OWASP Top 10 - A03: Injection CVSS Score: 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculatorvectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:Namp... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator