CVE-2024-53255

Nov. 25, 2024, 7:15 p.m.

None
No Score

Description

BoidCMS is a free and open-source flat file CMS for building simple websites and blogs, developed using PHP and uses JSON as a database. In affected versions a reflected Cross-site Scripting (XSS) vulnerability exists in the /admin?page=media endpoint in the file parameter, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session cookie, perform phishing attacks, or deface the website. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
BoidCMS
  • ['2.1.2']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/BoidCMS/BoidCMS/commit/42f4d703a87f5199bbd701b3495a26c91b9cfab7
https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-7q7m-cgw8-px4r

Tags

security-advisories@github.com
CWE-79
2024-11-25
CVE-2024-53255

Timeline

Published: Nov. 25, 2024, 7:15 p.m.
Last Modified: Nov. 25, 2024, 7:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.