Skip to main content

Fuel Cms CVE-2024-25369

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-02-22 cve@mitre.org
5.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 22, 2024 - 20:15 cve.org
MEDIUM 5.4

DescriptionCVE.org

A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter.

AnalysisAI

A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A reflected Cross-Site Scripting (XSS) vulnerability in FUEL CMS 1.5.2allows attackers to run arbitrary code via crafted string after the group_id parameter. Affected products include: Thedaylightstudio Fuel Cms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2021-38727 CRITICAL POC
9.8 Sep 09

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items. Rated critical severity (CVS

CVE-2020-17463 CRITICAL POC
9.8 Aug 13

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. Rat

CVE-2018-16763 CRITICAL POC
9.8 Sep 09

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. Rated c

CVE-2023-33557 HIGH POC
8.8 Jun 09

Fuel CMS v1.5.2 was discovered to contain a SQL injection vulnerability via the id parameter at /controllers/Blocks.php.

CVE-2021-38723 HIGH POC
8.8 Sep 09

FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items. Rated high severity (CVSS 8

CVE-2019-15229 HIGH POC
8.8 Aug 20

FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. Rated high severity (CVSS 8.8)

CVE-2018-20188 HIGH POC
8.8 Dec 17

FUEL CMS 1.4.3 has CSRF via users/create/ to add an administrator account. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-16416 HIGH POC
8.8 Sep 03

Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inline= in FUEL CMS 1.4 allows remote attackers to ch

CVE-2021-38290 HIGH POC
8.1 Aug 09

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel

CVE-2021-47980 HIGH POC
7.1 May 16

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database

CVE-2021-38721 MEDIUM POC
6.5 Sep 09

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability. Rated medium severity (CVSS 6.5), t

CVE-2020-26167 CRITICAL
9.8 Nov 04

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any acco

Share

CVE-2024-25369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy