Cross-Site Scripting in the Holded application

Posted date 22/04/2024

Importance

3 - Medium

Affected Resources

Holded web application.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting the Holded application, a management software for SMEs and entrepreneurs, which has been discovered by Raúl Vega Arjona, from Hispasec Sistemas.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2024-4026: 4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CWE-79

Solution

Vulnerability fixed in version 4.20.0.

Detail

CVE-2024-4026: Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover.

References list

Holded website

Etiquetas

0day
Update
SME
Vulnerability