CVE-2024-33670
Last modified
CVE-2024-33670 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.. EPSS estimates a 0.48% chance of exploitation in the next 30 days.
Description
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Passbolt | Passbolt Api | < 4.6.2 |
References
- https://help.passbolt.com/incidents/reflective-html-injection-vulnerabilityIssue Tracking, Vendor Advisory
- https://www.passbolt.com/incidentsIssue Tracking, Vendor Advisory
- https://help.passbolt.com/incidents/reflective-html-injection-vulnerabilityIssue Tracking, Vendor Advisory
- https://www.passbolt.com/incidentsIssue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-33670?
How severe is CVE-2024-33670?
How do I fix CVE-2024-33670?
Are you affected by CVE-2024-33670?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST