CVE-2024-2727

Published Mar 22, 2024

Last updated 5 months ago

CVSS medium 6.1

Overview

Description
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
Source
cve-coordination@incibe.es
NVD status
Analyzed
Products
ciges

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

cve-coordination@incibe.es
CWE-79

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.CVE-2024-2728
  2. Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.CVE-2024-2726
  3. Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.CVE-2024-2725
  4. SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.CVE-2024-2724
  5. SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.CVE-2024-2723

References

Sources include official advisories and independent security research.