Multiple vulnerabilities in Clibo Manager

Posted date 26/09/2024
Importance
4 - High
Affected Resources

Clibo Manager, versions 1.1.9.1 and 1.1.9.2.

Description

INCIBE has coordinated the publication of two vulnerabilities, of high and medium severity, affecting Clibo Manager versions 1.1.9.1 and 1.1.9.2, respectively. The first vulnerability could allow to execute a stored Cross-Site Scripting (stored XSS) by uploading a malicious image with SVG extension in version 1.1.9.1. On the other hand, there is another vulnerability, a missing email sending limit in the 'forgot my password' section affecting version 1.1.9.2. Both vulnerabilities have been discovered by David Padilla Alvarado.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base scores, CVSS vectors and CWE vulnerability types:

  • CVE-2024-9198: CVSS v3.1: 7.6 | CVSS AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N | CWE-79
  • CVE-2024-9199: CVSS v3.1: 5.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N | CWE-799
Solution

The vulnerabilities have been fixed by the Clibo Manager team in version 1.1.9.12.

Detail
  • CVE-2024-9198: vulnerability in Clibo Manager v1.1.9.1 that could allow an attacker to execute an stored Cross-Site Scripting (stored XSS ) by uploading a malicious .svg image in the section: Profile > Profile picture.
  • CVE-2024-9199: rate limit vulnerability in Clibo Manager v1.1.9.2 that could allow an attacker to send a large number of emails to the victim in a short time, affecting availability and leading to a denial of service (DoS).
References list