Skip to main content

Bolt CVE-2024-7300

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-07-31 cna@vuldb.com
5.3
CVSS 4.0 · Vendor: vuldb
Share

Severity by source

Vendor (vuldb) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vuldb) · only source for this CVE.

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Jul 31, 2024 - 07:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Affected is an unknown function of the file /bolt/editcontent/showcases of the component Showcase Creation Handler. The manipulation of the argument title/textarea leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.

AnalysisAI

A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Affected is an unknown function of the file /bolt/editcontent/showcases of the component Showcase Creation Handler. The manipulation of the argument title/textarea leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life. Affected products include: Boltcms Bolt.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Bolt

View all
CVE-2025-34086 HIGH POC
8.8 Jul 03

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.p

CVE-2015-7309 MEDIUM POC
6.5 Sep 22

The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authent

CVE-2019-10874 HIGH POC
8.8 Apr 05

Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to ex

CVE-2019-9185 HIGH POC
8.8 Mar 07

Controller/Async/FilesystemManager.php in the filemanager in Bolt before 3.6.5 allows remote attackers to execute arbitr

CVE-2020-4041 MEDIUM POC
6.1 Jun 08

In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. Rated medium severity (CV

CVE-2019-9553 MEDIUM POC
6.1 Dec 31

Bolt 3.6.4 has XSS via the slug, teaser, or title parameter to editcontent/pages, a related issue to CVE-2017-11128 and

CVE-2019-20058 MEDIUM POC
6.1 Dec 29

Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profil

CVE-2023-5214 CRITICAL
9.8 Oct 06

In Puppet Bolt versions prior to 3.27.4, a path to escalate privileges was identified. Rated critical severity (CVSS 9.8

CVE-2017-11128 MEDIUM POC
5.4 Jul 17

Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by the Title field of a New Entry. Rated medium severi

CVE-2017-11127 MEDIUM POC
5.4 Jul 17

Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a "Content-Type: image/svg+xml" header. Rated medium

CVE-2024-7299 MEDIUM POC
5.3 Jul 31

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Bolt CMS 3.7.1. Rated medium severity (CVSS 5.3), this vuln

CVE-2022-31321 CRITICAL
9.1 Aug 01

The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform

Share

CVE-2024-7300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy