Search
Find a vulnerability
Search criteria
2 vulnerabilities found for dynamic-dashboard by lara-zeus
CVE-2024-47817 (GCVE-0-2024-47817)
Vulnerability from nvd – Published: 2024-10-07 21:22 – Updated: 2024-10-08 14:19
VLAI
EPSS
VEX
Title
Unvalidated paragraph widget values can be used for Cross-site Scripting in lara-zeus
Summary
Lara-zeus Dynamic Dashboard simple way to manage widgets for your website landing page, and filament dashboard and Lara-zeus artemis is a collection of themes for the lara-zeus ecosystem. If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered. Users are advised to upgrade to the appropriate fix versions detailed in the advisory metadata. There are no known workarounds for this vulnerability.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lara-zeus/dynamic-dashboard/se… | x_refsource_CONFIRM |
| https://github.com/lara-zeus/artemis/commit/3a3f9… | x_refsource_MISC |
| https://github.com/lara-zeus/dynamic-dashboard/co… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| lara-zeus | dynamic-dashboard |
Affected:
lara-zeus/dynamic-dashboard: >= 3.0.0, < 3.0.2
Affected: lara-zeus/artemis: >= 1.0.0, < 1.0.7 |
|
| lara_zeus | dynamic_dashboard |
Affected:
3.0.0 , < 3.0.2
(custom)
Affected: 1.0.0 , < 1.0.7 (custom) cpe:2.3:a:lara_zeus:dynamic_dashboard:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lara_zeus:dynamic_dashboard:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dynamic_dashboard",
"vendor": "lara_zeus",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47817",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:14:27.634460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:19:30.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dynamic-dashboard",
"vendor": "lara-zeus",
"versions": [
{
"status": "affected",
"version": "lara-zeus/dynamic-dashboard: \u003e= 3.0.0, \u003c 3.0.2"
},
{
"status": "affected",
"version": "lara-zeus/artemis: \u003e= 1.0.0, \u003c 1.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lara-zeus Dynamic Dashboard simple way to manage widgets for your website landing page, and filament dashboard and Lara-zeus artemis is a collection of themes for the lara-zeus ecosystem. If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered. Users are advised to upgrade to the appropriate fix versions detailed in the advisory metadata. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:22:18.473Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwc"
},
{
"name": "https://github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9"
},
{
"name": "https://github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545a"
}
],
"source": {
"advisory": "GHSA-c6cw-g7fc-4gwc",
"discovery": "UNKNOWN"
},
"title": "Unvalidated paragraph widget values can be used for Cross-site Scripting in lara-zeus"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47817",
"datePublished": "2024-10-07T21:22:18.473Z",
"dateReserved": "2024-10-03T14:06:12.638Z",
"dateUpdated": "2024-10-08T14:19:30.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47817 (GCVE-0-2024-47817)
Vulnerability from cvelistv5 – Published: 2024-10-07 21:22 – Updated: 2024-10-08 14:19
VLAI
EPSS
VEX
Title
Unvalidated paragraph widget values can be used for Cross-site Scripting in lara-zeus
Summary
Lara-zeus Dynamic Dashboard simple way to manage widgets for your website landing page, and filament dashboard and Lara-zeus artemis is a collection of themes for the lara-zeus ecosystem. If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered. Users are advised to upgrade to the appropriate fix versions detailed in the advisory metadata. There are no known workarounds for this vulnerability.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lara-zeus/dynamic-dashboard/se… | x_refsource_CONFIRM |
| https://github.com/lara-zeus/artemis/commit/3a3f9… | x_refsource_MISC |
| https://github.com/lara-zeus/dynamic-dashboard/co… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| lara-zeus | dynamic-dashboard |
Affected:
lara-zeus/dynamic-dashboard: >= 3.0.0, < 3.0.2
Affected: lara-zeus/artemis: >= 1.0.0, < 1.0.7 |
|
| lara_zeus | dynamic_dashboard |
Affected:
3.0.0 , < 3.0.2
(custom)
Affected: 1.0.0 , < 1.0.7 (custom) cpe:2.3:a:lara_zeus:dynamic_dashboard:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lara_zeus:dynamic_dashboard:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dynamic_dashboard",
"vendor": "lara_zeus",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-47817",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:14:27.634460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:19:30.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dynamic-dashboard",
"vendor": "lara-zeus",
"versions": [
{
"status": "affected",
"version": "lara-zeus/dynamic-dashboard: \u003e= 3.0.0, \u003c 3.0.2"
},
{
"status": "affected",
"version": "lara-zeus/artemis: \u003e= 1.0.0, \u003c 1.0.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lara-zeus Dynamic Dashboard simple way to manage widgets for your website landing page, and filament dashboard and Lara-zeus artemis is a collection of themes for the lara-zeus ecosystem. If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered. Users are advised to upgrade to the appropriate fix versions detailed in the advisory metadata. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:22:18.473Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwc"
},
{
"name": "https://github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9"
},
{
"name": "https://github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545a"
}
],
"source": {
"advisory": "GHSA-c6cw-g7fc-4gwc",
"discovery": "UNKNOWN"
},
"title": "Unvalidated paragraph widget values can be used for Cross-site Scripting in lara-zeus"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47817",
"datePublished": "2024-10-07T21:22:18.473Z",
"dateReserved": "2024-10-03T14:06:12.638Z",
"dateUpdated": "2024-10-08T14:19:30.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}