Cross-Site Scripting vulnerability in Gophish Admin Panel

Posted date 06/03/2024

Importance

3 - Medium

Affected Resources

Admin Panel, version 0.12.1.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Gophish Admin Panel version 0.12.1, an open source framework for creating phishing platforms and checking the organisation's exposure, which was discovered by Miguel Segovia Gil.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2024-2211: 4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CWE-79.

Solution

There is no reported solution at this time.

Detail

CVE-2024-2211: Cross-Site Scripting stored vulnerability in Gophish affecting version 0.12.1. This vulnerability could allow an attacker to store a malicious JavaScript payload in the campaign menu and trigger the payload when the campaign is removed from the menu.

References list

Open-Source Phishing Framework

Fixed XSS stored on campaign delete button #2991

Etiquetas