Smartrobot
CVE-2024-8776
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
SmartRobot from INTUMIT does not properly validate a specific page parameter, allowing unautheticated remote attackers to inject JavaScript code to the parameter for Reflected Cross-site Scripting attacks.
AnalysisAI
SmartRobot by INTUMIT contains a reflected cross-site scripting (XSS) vulnerability in an insufficiently validated page parameter that allows unauthenticated remote attackers to inject malicious JavaScript code. An attacker can craft a malicious URL and trick users into clicking it, enabling session hijacking, credential theft, or malware distribution. With a CVSS score of 6.1 and EPSS score of 0.18% (39th percentile), the vulnerability is of moderate severity with relatively low current exploitation probability, though the low attack complexity and lack of authentication requirements make it practically exploitable.
Technical ContextAI
The vulnerability stems from insufficient input validation on a specific page parameter in SmartRobot, falling under CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected application, identified via CPE cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*, fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. This classic reflected XSS vulnerability occurs when the application echoes unsanitized user input directly into the HTML output without contextual encoding, allowing attackers to break out of HTML attributes or tags and inject arbitrary JavaScript that executes in victims' browsers with their full privileges and session context.
RemediationAI
Contact INTUMIT immediately to obtain a patched version of SmartRobot that includes proper input validation and output encoding for the affected page parameter. Until a patch is available, implement input validation on the server side by validating the page parameter against a whitelist of expected values and applying HTML entity encoding to all reflected output. Additionally, deploy a web application firewall (WAF) rule set configured to detect and block common XSS payloads in the page parameter, enforce Content Security Policy (CSP) headers to prevent inline script execution, and educate users to avoid clicking untrusted links to the SmartRobot application. Refer to the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-8070-d10bc-2.html and https://www.twcert.org.tw/tw/cp-132-8069-73393-1.html for vendor-specific remediation guidance.
More in Smartrobot
View allA critical authentication bypass vulnerability exists in Intumit SmartRobot due to the use of a hard-coded encryption ke
A remote code execution vulnerability exists in Intumit SmartRobot's web framework that allows unauthenticated attackers
A Improper Control of Generation of Code ('Code Injection') vulnerability in groovy script function in SmartRobot′s Conv
SmartRobot from INTUMIT has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to pr
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today