Skip to main content

I Librarian CVE-2024-40500

HIGH
Cross-site Scripting (XSS) (CWE-79)
2024-08-12 cve@mitre.org
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 12, 2024 - 17:15 nvd
HIGH 8.6

DescriptionNVD

Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component.

AnalysisAI

Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component. Affected products include: Scilico I\, Librarian.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2018-1000124 CRITICAL POC
10.0 Mar 13

I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of import

CVE-2017-1000237 CRITICAL POC
9.8 Nov 17

I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the

CVE-2017-1000235 CRITICAL POC
9.8 Nov 17

I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command Injection in batchimport.php resulting the web server being

CVE-2018-1000138 CRITICAL POC
9.1 Mar 23

I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php tha

CVE-2018-1000137 HIGH POC
8.8 Mar 23

I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can re

CVE-2023-3020 MEDIUM POC
6.1 May 31

Cross-site Scripting (XSS) - Reflected in GitHub repository mkucej/i-librarian-free prior to 5.10.4. Rated medium severi

CVE-2019-11449 MEDIUM POC
6.1 Apr 22

I, Librarian 4.10 has XSS via the notes.php notes parameter. Rated medium severity (CVSS 6.1), this vulnerability is rem

CVE-2019-11428 MEDIUM POC
6.1 Apr 22

I, Librarian 4.10 has XSS via the export.php export_files parameter. Rated medium severity (CVSS 6.1), this vulnerabilit

CVE-2019-11359 MEDIUM POC
6.1 Apr 20

Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary

CVE-2018-1000139 MEDIUM POC
6.1 Mar 23

I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php

CVE-2017-1000236 MEDIUM POC
6.1 Nov 17

I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacke

CVE-2023-3021 MEDIUM POC
5.4 May 31

Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i-librarian-free prior to 5.10.4. Rated medium severity

Share

CVE-2024-40500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy