CVE-2024-4424 (GCVE-0-2024-4424)

Vulnerability from cvelistv5 – Published: 2024-05-09 09:36 – Updated: 2025-03-13 18:37
VLAI
Title
Stored XSS in CemiPark
Summary
The access control in CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
CEMI Tomasz Pawełek CemiPark Affected: 4.5
Affected: 4.7
Affected: 5.03
Create a notification for this product.
Credits
Dariusz Gońda
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-4424",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-09T18:32:19.101648Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-13T18:37:33.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:40:47.178Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"
          },
          {
            "tags": [
              "product",
              "x_transferred"
            ],
            "url": "http://cemi.pl/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "CemiPark",
          "vendor": "CEMI Tomasz Pawe\u0142ek",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "status": "affected",
              "version": "5.03"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dariusz Go\u0144da"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The access control in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCemiPark software\u003c/span\u003e does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.\u003cp\u003eThis issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\u003c/p\u003e"
            }
          ],
          "value": "The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-09T09:36:58.788Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"
        },
        {
          "tags": [
            "product"
          ],
          "url": "http://cemi.pl/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stored XSS in CemiPark",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2024-4424",
    "datePublished": "2024-05-09T09:36:58.788Z",
    "dateReserved": "2024-05-02T11:55:32.039Z",
    "dateUpdated": "2025-03-13T18:37:33.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-4424",
      "date": "2026-07-09",
      "epss": "0.0043",
      "percentile": "0.34669"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-4424\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2024-05-14T15:43:41.587\",\"lastModified\":\"2026-06-17T08:01:51.107\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\\n\\n\"},{\"lang\":\"es\",\"value\":\"El control de acceso en el software CemiPark no valida adecuadamente los datos ingresados por el usuario, lo que permite el ataque de Cross Site Scripting (XSS) almacenado. Los par\u00e1metros utilizados para ingresar datos al sistema no cuentan con la validaci\u00f3n adecuada, lo que hace posible el contrabando de c\u00f3digo HTML/JavaScript. Este c\u00f3digo se ejecutar\u00e1 en el espacio del navegador del usuario. Este problema afecta al software CemiPark: 4.5, 4.7, 5.03 y potencialmente a otros. El vendedor se neg\u00f3 a proporcionar la gama espec\u00edfica de productos afectados.\"}],\"affected\":[{\"source\":\"cvd@cert.pl\",\"affectedData\":[{\"vendor\":\"CEMI Tomasz Pawe\u0142ek\",\"product\":\"CemiPark\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"4.5\",\"status\":\"affected\"},{\"version\":\"4.7\",\"status\":\"affected\"},{\"version\":\"5.03\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-05-09T18:32:19.101648Z\",\"id\":\"CVE-2024-4424\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"http://cemi.pl/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://cert.pl/posts/2024/05/CVE-2024-4423/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"http://cemi.pl/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert.pl/posts/2024/05/CVE-2024-4423/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "redhat_vex": {
      "current_release_date": "2025-05-28T19:55:14+00:00",
      "cve": "CVE-2024-4424",
      "id": "CVE-2024-4424",
      "initial_release_date": "2024-01-01T00:00:00+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "Stored XSS in CemiPark",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-4424.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://cert.pl/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"http://cemi.pl/\", \"tags\": [\"product\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:40:47.178Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-4424\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-09T18:32:19.101648Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-09T18:33:03.841Z\"}}], \"cna\": {\"title\": \"Stored XSS in CemiPark\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Dariusz Go\\u0144da\"}], \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592 Stored XSS\"}]}], \"affected\": [{\"vendor\": \"CEMI Tomasz Pawe\\u0142ek\", \"product\": \"CemiPark\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.5\"}, {\"status\": \"affected\", \"version\": \"4.7\"}, {\"status\": \"affected\", \"version\": \"5.03\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://cert.pl/posts/2024/05/CVE-2024-4423/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"http://cemi.pl/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The access control in\\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The access control in\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eCemiPark software\u003c/span\u003e does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user\u0027s browser space.\u003cp\u003eThis issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2024-05-09T09:36:58.788Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-4424\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-13T18:37:33.936Z\", \"dateReserved\": \"2024-05-02T11:55:32.039Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2024-05-09T09:36:58.788Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…