Search criteria
2 vulnerabilities by VIWIS
CVE-2024-8002 (GCVE-0-2024-8002)
Vulnerability from cvelistv5 – Published: 2025-01-08 06:50 – Updated: 2025-01-08 14:21
VLAI?
Title
VIWIS LMS File Upload cross site scripting
Summary
A vulnerability has been found in VIWIS LMS 9.11 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component File Upload. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 9.12 is able to address this issue. It is recommended to upgrade the affected component.
Severity ?
4.3 (Medium)
4.3 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Ralph Meier
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:20:43.221375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:21:10.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Upload"
],
"product": "LMS",
"vendor": "VIWIS",
"versions": [
{
"status": "affected",
"version": "9.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ralph Meier"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in VIWIS LMS 9.11 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component File Upload. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 9.12 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In VIWIS LMS 9.11 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Komponente File Upload. Durch Manipulation des Arguments filename mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Ein Aktualisieren auf die Version 9.12 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T06:50:29.219Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-290767 | VIWIS LMS File Upload cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.290767"
},
{
"name": "VDB-290767 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.290767"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-01-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-01-08T07:53:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "VIWIS LMS File Upload cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8002",
"datePublished": "2025-01-08T06:50:29.219Z",
"dateReserved": "2024-08-20T08:04:31.985Z",
"dateUpdated": "2025-01-08T14:21:10.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8001 (GCVE-0-2024-8001)
Vulnerability from cvelistv5 – Published: 2024-11-13 09:47 – Updated: 2025-01-09 16:32
VLAI?
Title
VIWIS LMS Print authorization
Summary
A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. A user with the role learner can use the administrative print function with an active session before and after an exam slot to access the entire exam including solutions in the web application. It is recommended to apply a patch to fix this issue.
Severity ?
5.3 (Medium)
5.3 (Medium)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Ralph Meier
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:viwis:lms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lms",
"vendor": "viwis",
"versions": [
{
"status": "affected",
"version": "9.11"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T14:50:49.767422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T16:32:53.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Print Handler"
],
"product": "LMS",
"vendor": "VIWIS",
"versions": [
{
"status": "affected",
"version": "9.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ralph Meier"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in VIWIS LMS 9.11. It has been classified as critical. Affected is an unknown function of the component Print Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. A user with the role learner can use the administrative print function with an active session before and after an exam slot to access the entire exam including solutions in the web application. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in VIWIS LMS 9.11 ausgemacht. Es geht dabei um eine nicht klar definierte Funktion der Komponente Print Handler. Mit der Manipulation mit unbekannten Daten kann eine missing authorization-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T06:49:21.233Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284352 | VIWIS LMS Print authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.284352"
},
{
"name": "VDB-284352 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284352"
},
{
"tags": [
"related"
],
"url": "https://www.scip.ch/?news.20241203"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-13T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-01-08T07:54:08.000Z",
"value": "VulDB entry last update"
}
],
"title": "VIWIS LMS Print authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8001",
"datePublished": "2024-11-13T09:47:38.973Z",
"dateReserved": "2024-08-20T08:04:18.419Z",
"dateUpdated": "2025-01-09T16:32:53.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}