CVE-2023-40819 : ID4Portais in version < V.2022.837.002a returns message parameter unsanitized in

ID4Portais in version < V.2022.837.002a returns message parameter unsanitized in the response, resulting in a HTML Injection vulnerability.

Published 2024-08-06 14:16:03

Updated 2024-08-12 16:12:47

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-40819

Devlop.systems » Id4portais
Versions up to, including, (<=) 2022.837.002a
cpe:2.3:a:devlop.systems:id4portais:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-08-07
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST	2024-08-12
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)
CWE-233 Improper Handling of Parameters

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Jump to