Toolbox
CVE-2024-9177
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected products include: Themedy Toolbox.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
JetBrains ToolBox before version 1.18 is vulnerable to Remote Code Execution via a browser protocol handler. Rated criti
In JetBrains Toolbox App before 2.6 command injection in SSH plugin was possible. Rated high severity (CVSS 8.3), this v
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element. Rated high severity (CVSS 7.8), this vulnerability
JetBrains ToolBox before version 1.18 is vulnerable to a Denial of Service attack via a browser protocol handler. Rated
In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe
In JetBrains Toolbox App before 1.15.5666 for Windows, privilege escalation was possible. Rated high severity (CVSS 7.3)
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible. Rated me
In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation. Rated m
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection. Rated medium severity
In JetBrains Toolbox App before 2.2 a DoS attack was possible via a malicious SVG image. Rated medium severity (CVSS 5.5
In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin. Rated medium severity (CVSS 4.2), t
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today