CVE-2024-4424 (GCVE-0-2024-4424)
Vulnerability from cvelistv5 – Published: 2024-05-09 09:36 – Updated: 2025-03-13 18:37
VLAI
EPSS
VEX
Title
Stored XSS in CemiPark
Summary
The access control in CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/05/CVE-2024-4423/ | third-party-advisory |
| https://cert.pl/posts/2024/05/CVE-2024-4423/ | third-party-advisory |
| http://cemi.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CEMI Tomasz Pawełek | CemiPark |
Affected:
4.5
Affected: 4.7 Affected: 5.03 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T18:32:19.101648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:37:33.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "http://cemi.pl/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "CemiPark",
"vendor": "CEMI Tomasz Pawe\u0142ek",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"status": "affected",
"version": "4.7"
},
{
"status": "affected",
"version": "5.03"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dariusz Go\u0144da"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The access control in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCemiPark software\u003c/span\u003e does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.\u003cp\u003eThis issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\u003c/p\u003e"
}
],
"value": "The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T09:36:58.788Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"
},
{
"tags": [
"product"
],
"url": "http://cemi.pl/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in CemiPark",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-4424",
"datePublished": "2024-05-09T09:36:58.788Z",
"dateReserved": "2024-05-02T11:55:32.039Z",
"dateUpdated": "2025-03-13T18:37:33.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-4424",
"date": "2026-07-09",
"epss": "0.0043",
"percentile": "0.34669"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-4424\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2024-05-14T15:43:41.587\",\"lastModified\":\"2026-06-17T08:01:51.107\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\\n\\n\"},{\"lang\":\"es\",\"value\":\"El control de acceso en el software CemiPark no valida adecuadamente los datos ingresados por el usuario, lo que permite el ataque de Cross Site Scripting (XSS) almacenado. Los par\u00e1metros utilizados para ingresar datos al sistema no cuentan con la validaci\u00f3n adecuada, lo que hace posible el contrabando de c\u00f3digo HTML/JavaScript. Este c\u00f3digo se ejecutar\u00e1 en el espacio del navegador del usuario. Este problema afecta al software CemiPark: 4.5, 4.7, 5.03 y potencialmente a otros. El vendedor se neg\u00f3 a proporcionar la gama espec\u00edfica de productos afectados.\"}],\"affected\":[{\"source\":\"cvd@cert.pl\",\"affectedData\":[{\"vendor\":\"CEMI Tomasz Pawe\u0142ek\",\"product\":\"CemiPark\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"4.5\",\"status\":\"affected\"},{\"version\":\"4.7\",\"status\":\"affected\"},{\"version\":\"5.03\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-05-09T18:32:19.101648Z\",\"id\":\"CVE-2024-4424\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"http://cemi.pl/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://cert.pl/posts/2024/05/CVE-2024-4423/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"http://cemi.pl/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert.pl/posts/2024/05/CVE-2024-4423/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"redhat_vex": {
"current_release_date": "2025-05-28T19:55:14+00:00",
"cve": "CVE-2024-4424",
"id": "CVE-2024-4424",
"initial_release_date": "2024-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "Stored XSS in CemiPark",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-4424.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://cert.pl/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"http://cemi.pl/\", \"tags\": [\"product\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:40:47.178Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4424\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-09T18:32:19.101648Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-09T18:33:03.841Z\"}}], \"cna\": {\"title\": \"Stored XSS in CemiPark\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Dariusz Go\\u0144da\"}], \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592 Stored XSS\"}]}], \"affected\": [{\"vendor\": \"CEMI Tomasz Pawe\\u0142ek\", \"product\": \"CemiPark\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5\"}, {\"status\": \"affected\", \"version\": \"4.7\"}, {\"status\": \"affected\", \"version\": \"5.03\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://cert.pl/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"http://cemi.pl/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The access control in\\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The access control in\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eCemiPark software\u003c/span\u003e does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.\u003cp\u003eThis issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2024-05-09T09:36:58.788Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-4424\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-13T18:37:33.936Z\", \"dateReserved\": \"2024-05-02T11:55:32.039Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2024-05-09T09:36:58.788Z\", \"assignerShortName\": \"CERT-PL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…