fkie_cve-2024-49337
Vulnerability from fkie_nvd
Published
2025-02-20 12:15
Modified
2025-02-20 12:15
Severity ?
Summary
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages
is vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim's mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages \n\n\n\n\n\nis vulnerable to HTML injection, caused by improper validation of user-supplied input of text fields used to construct workflow email notifications. A remote authenticated attacker could exploit this vulnerability using HTML tags in a text field of an object to inject malicious script into an email which would be executed in a victim\u0027s mail client within the security context of the OpenPages mail message. An attacker could use this for phishing or identity theft attacks."
},
{
"lang": "es",
"value": "IBM OpenPages con Watson 8.3 y 9.0 IBM OpenPages es vulnerable a la inyecci\u00f3n de HTML, causada por una validaci\u00f3n incorrecta de la entrada proporcionada por el usuario de los campos de texto utilizados para construir notificaciones de correo electr\u00f3nico de flujo de trabajo. Un atacante remoto autenticado podr\u00eda explotar esta vulnerabilidad utilizando etiquetas HTML en un campo de texto de un objeto para inyectar un script malicioso en un correo electr\u00f3nico que se ejecutar\u00eda en el cliente de correo de una v\u00edctima dentro del contexto de seguridad del mensaje de correo de OpenPages. Un atacante podr\u00eda utilizar esto para ataques de phishing o robo de identidad."
}
],
"id": "CVE-2024-49337",
"lastModified": "2025-02-20T12:15:09.293",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
},
"published": "2025-02-20T12:15:09.293",
"references": [
{
"source": "psirt@us.ibm.com",
"url": "https://www.ibm.com/support/pages/node/7183541"
}
],
"sourceIdentifier": "psirt@us.ibm.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "psirt@us.ibm.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.