CVE-2024-50861

medium

Description

The ip_mod_dns_key_form.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS. An attacker can inject malicious code into the "TSIG Key" field, which is saved in the database and triggers XSS when viewed, enabling data exfiltration and CSRF attacks.

References

https://github.com/muebel/gestioip-docker-compose

https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861

http://www.gestioip.net

Details

Source: Mitre, NVD

Published: 2025-01-14

Updated: 2025-01-15

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium