Strix
26.1K

CVE-2024-10242

MEDIUMCVSS 6.1/10EPSS 0.24%

Last modified

CVE-2024-10242 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.24%

14.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Wso2Api Manager>= 3.2.0, < 3.2.0.401
Wso2Api Manager>= 4.0.0, < 4.0.0.318

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-10242?
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
How severe is CVE-2024-10242?
CVE-2024-10242 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.
How do I fix CVE-2024-10242?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-10242?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST