CVE-2024-25974
CVSS V2 None
CVSS V3 None
Description
The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. It is possible to upload files within the Media Center of OpenOlat version 18.1.5 (or lower) as an authenticated user without any other rights. Although the filetypes are limited, an SVG image containing an XSS payload can be uploaded. After a successful upload the file can be shared with groups of users (including admins) who can be attacked with the JavaScript payload.
Overview
- CVE ID
- CVE-2024-25974
- Assigner
- SEC-VLab
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-02-20T08:02:44.251Z
- Last Modified Date
- 2024-02-20T08:02:44.251Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://r.sec-consult.com/openolat | third-party-advisory |
http://seclists.org/fulldisclosure/2024/Feb/23 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-25974 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25974 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-26 13:09:46 | Added to TrackCVE |