CVE-2024-23387

{"id": "CVE-2024-23387", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2024-01-19T04:15:09.987", "references": [{"url": "https://github.com/fusionpbx/fusionpbx/", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}, {"url": "https://jvn.jp/en/jp/JVN67215338/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.fusionpbx.com/", "tags": ["Product"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product."}, {"lang": "es", "value": "FusionPBX anterior a 5.1.0 contiene una vulnerabilidad de Cross-Site Scripting. Si esta vulnerabilidad es aprovechada por un atacante remoto autenticado con privilegios administrativos, se puede ejecutar un script arbitrario en el navegador web del usuario que inicia sesi\u00f3n en el producto."}], "lastModified": "2024-01-25T02:00:29.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fusionpbx:fusionpbx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D7E38EB-BDA8-4715-B097-772651C501D8", "versionEndExcluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}