Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-38293

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-13 Jun, 2024 | 00:00
Updated At-02 Aug, 2024 | 04:04
Rejected At-
Credits

ALCASAR before 3.6.1 allows CSRF and remote code execution in activity.php.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:13 Jun, 2024 | 00:00
Updated At:02 Aug, 2024 | 04:04
Rejected At:
▼CVE Numbering Authority (CNA)

ALCASAR before 3.6.1 allows CSRF and remote code execution in activity.php.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
N/A
https://alcasar.net/download
N/A
Hyperlink: https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
Resource: N/A
Hyperlink: https://alcasar.net/download
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
alcasar
Product
alcasar
CPEs
  • cpe:2.3:o:alcasar:alcasar:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 3.6.1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
x_transferred
https://alcasar.net/download
x_transferred
Hyperlink: https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
Resource:
x_transferred
Hyperlink: https://alcasar.net/download
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:13 Jun, 2024 | 05:15
Updated At:18 Jun, 2025 | 17:28

ALCASAR before 3.6.1 allows CSRF and remote code execution in activity.php.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CPE Matches
alcasar
alcasar
>>alcasar>>Versions before 3.6.1(exclusive)
cpe:2.3:a:alcasar:alcasar:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-352
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://adullact.net/frs/download.php/file/8930/CHANGELOG.mdcve@mitre.org
Release Notes
https://alcasar.net/downloadcve@mitre.org
Product
https://adullact.net/frs/download.php/file/8930/CHANGELOG.mdaf854a3a-2127-422b-91ae-364da2661108
Release Notes
https://alcasar.net/downloadaf854a3a-2127-422b-91ae-364da2661108
Product
Hyperlink: https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
Source: cve@mitre.org
Resource:
Release Notes
Hyperlink: https://alcasar.net/download
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://adullact.net/frs/download.php/file/8930/CHANGELOG.md
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Release Notes
Hyperlink: https://alcasar.net/download
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product

Change History

0
Information is not available yet

Similar CVEs

53Records found
CVE-2021-25010
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.6||CRITICAL
EPSS-0.15% / 36.05%
||
7 Day CHG+0.01%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting

The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues

Action-Not Available
Vendor-postsnippetsUnknown
Product-post_snippetsPost Snippets
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24884
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.6||CRITICAL
EPSS-19.16% / 95.12%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting

The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.

Action-Not Available
Vendor-UnknownStrategy11
Product-formidable_form_builderFormidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-31988
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.7||CRITICAL
EPSS-8.29% / 91.89%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 20:40
Updated-21 Feb, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform CSRF remote code execution through the realtime HTML Converter API

XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. As a workaround, one may update `RTFrontend.ConvertHTML` manually with the patch. This will, however, break some synchronization processes in the realtime editor, so upgrading should be the preferred way on installations where this editor is used.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • Next
Details not found