CVE-2024-10089

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/04/CVE-2024-10087
https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html

Configurations

No configuration.

History

15 Apr 2025, 18:39

Type	Values Removed	Values Added
Summary		(es) Internet Starter, uno de los módulos del sistema SoftCOM iKSORIS, es vulnerable a ataques XSS almacenado (Cross-site Scripting). Un atacante podría engañar a un usuario para que rellene un formulario diseñado para modificar sus datos con un script malicioso, lo que provoca que el script se ejecute en el contexto del usuario. Esta vulnerabilidad ha sido corregida en la versión 79.0.

14 Apr 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-14 12:15

Updated : 2025-04-15 18:39

NVD link : CVE-2024-10089

Mitre link : CVE-2024-10089

CVE.ORG link : CVE-2024-10089

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-10089", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-14T12:15:14.403", "references": [{"url": "https://cert.pl/en/posts/2025/04/CVE-2024-10087", "source": "cvd@cert.pl"}, {"url": "https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html", "source": "cvd@cert.pl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context.\u00a0\nThis vulnerability has been patched in version 79.0"}, {"lang": "es", "value": "Internet Starter, uno de los m\u00f3dulos del sistema SoftCOM iKSORIS, es vulnerable a ataques XSS almacenado (Cross-site Scripting). Un atacante podr\u00eda enga\u00f1ar a un usuario para que rellene un formulario dise\u00f1ado para modificar sus datos con un script malicioso, lo que provoca que el script se ejecute en el contexto del usuario. Esta vulnerabilidad ha sido corregida en la versi\u00f3n 79.0."}], "lastModified": "2025-04-15T18:39:27.967", "sourceIdentifier": "cvd@cert.pl"}