Vulnerability-Lookup

CNVD-2024-33676

Vulnerability from cnvd - Published: 2024-07-25

Title

ClassCMS跨站脚本漏洞（CNVD-2024-33676）

Description

ClassCMS是中国ClassCMS开源的一款简单、灵活、安全、易于拓展的内容管理系统。 ClassCMS存在跨站脚本漏洞，该漏洞源于/admin/?action=home&do=shop:index&keyword=&kind=all文件中的order参数包含跨站脚本。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

ClassCMS跨站脚本漏洞（CNVD-2024-33676）的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://github.com/ClassCMS/ClassCMS

Reference

https://vuldb.com/?id.271987 https://vuldb.com/?ctiid.271987 https://vuldb.com/?submit.372000 https://github.com/Hebing123/cve/issues/42

Impacted products

Name
ClassCMS ClassCMS 4.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-6932",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-6932"
    }
  },
  "description": "ClassCMS\u662f\u4e2d\u56fdClassCMS\u5f00\u6e90\u7684\u4e00\u6b3e\u7b80\u5355\u3001\u7075\u6d3b\u3001\u5b89\u5168\u3001\u6613\u4e8e\u62d3\u5c55\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\n\nClassCMS\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/admin/?action=home\u0026do=shop:index\u0026keyword=\u0026kind=all\u6587\u4ef6\u4e2d\u7684order\u53c2\u6570\u5305\u542b\u8de8\u7ad9\u811a\u672c\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://github.com/ClassCMS/ClassCMS",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-33676",
  "openTime": "2024-07-25",
  "patchDescription": "ClassCMS\u662f\u4e2d\u56fdClassCMS\u5f00\u6e90\u7684\u4e00\u6b3e\u7b80\u5355\u3001\u7075\u6d3b\u3001\u5b89\u5168\u3001\u6613\u4e8e\u62d3\u5c55\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nClassCMS\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/admin/?action=home\u0026do=shop:index\u0026keyword=\u0026kind=all\u6587\u4ef6\u4e2d\u7684order\u53c2\u6570\u5305\u542b\u8de8\u7ad9\u811a\u672c\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ClassCMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-33676\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "ClassCMS ClassCMS 4.5"
  },
  "referenceLink": "https://vuldb.com/?id.271987\r\nhttps://vuldb.com/?ctiid.271987\r\nhttps://vuldb.com/?submit.372000\r\nhttps://github.com/Hebing123/cve/issues/42",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-23",
  "title": "ClassCMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-33676\uff09"
}

CVE-2024-6932 (GCVE-0-2024-6932)

Vulnerability from cvelistv5 – Published: 2024-07-20 21:31 – Updated: 2024-08-01 21:45

Title

ClassCMS cross site scripting

Summary

A vulnerability was found in ClassCMS 4.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/?action=home&do=shop:index&keyword=&kind=all. The manipulation of the argument order leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271987.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 (Low)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-79 - Cross Site Scripting

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.271987	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.271987	signaturepermissions-required
	https://vuldb.com/?submit.372000	third-party-advisory
	https://github.com/Hebing123/cve/issues/42	exploitissue-tracking

Impacted products

	Vendor	Product	Version
	n/a	ClassCMS	Affected: 4.5

Credits

jiashenghe (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:classcms:classcms:4.5:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "classcms",
            "vendor": "classcms",
            "versions": [
              {
                "status": "affected",
                "version": "4.5"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6932",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T14:54:02.092212Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-22T20:32:15.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:45:38.339Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VDB-271987 | ClassCMS cross site scripting",
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.271987"
          },
          {
            "name": "VDB-271987 | CTI Indicators (IOB, IOC, TTP, IOA)",
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.271987"
          },
          {
            "name": "Submit #372000 | ClassCMS v4.5 Cross Site Scripting",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?submit.372000"
          },
          {
            "tags": [
              "exploit",
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/Hebing123/cve/issues/42"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ClassCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "jiashenghe (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in ClassCMS 4.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/?action=home\u0026do=shop:index\u0026keyword=\u0026kind=all. The manipulation of the argument order leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271987."
        },
        {
          "lang": "de",
          "value": "In ClassCMS 4.5 wurde eine problematische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/?action=home\u0026do=shop:index\u0026keyword=\u0026kind=all. Dank Manipulation des Arguments order mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-20T21:31:04.132Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-271987 | ClassCMS cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.271987"
        },
        {
          "name": "VDB-271987 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.271987"
        },
        {
          "name": "Submit #372000 | ClassCMS v4.5 Cross Site Scripting",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.372000"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/Hebing123/cve/issues/42"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-07-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-07-20T08:02:26.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ClassCMS cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-6932",
    "datePublished": "2024-07-20T21:31:04.132Z",
    "dateReserved": "2024-07-20T05:57:14.472Z",
    "dateUpdated": "2024-08-01T21:45:38.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-33676

CVE-2024-6932 (GCVE-0-2024-6932)

Tags

Sightings

Nomenclature