Back

CVE-2024-5165

May 23, 2024, 10:15 a.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Eclipse Ditto

  • 3.0.0 - 3.5.5

Source

emo@eclipse.org

Tags

CWE-79
emo@eclipse.org
2024-05-23
CVE-2024-5165

CVE-2024-5165 details

Published : May 23, 2024, 10:15 a.m.
Last Modified : May 23, 2024, 10:15 a.m.

Description

In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage to save settings of "environments" of the UI and e.g. the last performed "search queries", resulting in a "Reflected XSS" vulnerability. However, several other inputs were persisted at the backend of Eclipse Ditto, leading to a "Stored XSS" vulnerability. Those mean that authenticated and authorized users at Eclipse Ditto can persist Things in Ditto which can - when being displayed by other users also being authorized to see those Things in the Eclipse Ditto UI - cause scripts to be executed in the browser of other users.

CVSS Score

1 2 3 4 5 6.5 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.5

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

URL Source
https://gitlab.eclipse.org/security/cve-assignement/-/issues/23 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/201 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/202 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/204 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/207 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/209 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/210 emo@eclipse.org
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/211 emo@eclipse.org
This website uses the NVD API, but is not approved or certified by it.