CVE-2024-2728

Published Mar 22, 2024

Last updated 5 months ago

CVSS medium 4.1

Overview

Description
Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
Source
cve-coordination@incibe.es
NVD status
Analyzed
Products
ciges

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

cve-coordination@incibe.es
CWE-200

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.CVE-2024-2727
  2. Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.CVE-2024-2726
  3. Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.CVE-2024-2725
  4. SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.CVE-2024-2724
  5. SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.CVE-2024-2723

References

Sources include official advisories and independent security research.