CVE-2024-8776

MEDIUM
2024-09-16 [email protected]
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Sep 16, 2024 - 06:15 nvd
MEDIUM 6.1

Tags

XSS Smartrobot

Description

SmartRobot from INTUMIT does not properly validate a specific page parameter, allowing unautheticated remote attackers to inject JavaScript code to the parameter for Reflected Cross-site Scripting attacks.

Analysis

SmartRobot by INTUMIT contains a reflected cross-site scripting (XSS) vulnerability in an insufficiently validated page parameter that allows unauthenticated remote attackers to inject malicious JavaScript code. An attacker can craft a malicious URL and trick users into clicking it, enabling session hijacking, credential theft, or malware distribution. With a CVSS score of 6.1 and EPSS score of 0.18% (39th percentile), the vulnerability is of moderate severity with relatively low current exploitation probability, though the low attack complexity and lack of authentication requirements make it practically exploitable.

Technical Context

The vulnerability stems from insufficient input validation on a specific page parameter in SmartRobot, falling under CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected application, identified via CPE cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*, fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. This classic reflected XSS vulnerability occurs when the application echoes unsanitized user input directly into the HTML output without contextual encoding, allowing attackers to break out of HTML attributes or tags and inject arbitrary JavaScript that executes in victims' browsers with their full privileges and session context.

Affected Products

SmartRobot from INTUMIT is affected across all versions as indicated by the CPE string cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*, suggesting the vulnerability impacts the entire product line without a specified version ceiling. Additional technical details and vendor guidance can be found in the Taiwan Computer Emergency Response Team (TWCERT) advisory at https://www.twcert.org.tw/en/cp-139-8070-d10bc-2.html (English version) and https://www.twcert.org.tw/tw/cp-132-8069-73393-1.html (Traditional Chinese version).

Remediation

Contact INTUMIT immediately to obtain a patched version of SmartRobot that includes proper input validation and output encoding for the affected page parameter. Until a patch is available, implement input validation on the server side by validating the page parameter against a whitelist of expected values and applying HTML entity encoding to all reflected output. Additionally, deploy a web application firewall (WAF) rule set configured to detect and block common XSS payloads in the page parameter, enforce Content Security Policy (CSP) headers to prevent inline script execution, and educate users to avoid clicking untrusted links to the SmartRobot application. Refer to the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-8070-d10bc-2.html and https://www.twcert.org.tw/tw/cp-132-8069-73393-1.html for vendor-specific remediation guidance.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +30
POC: 0

Share

CVE-2024-8776 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy