CVE-2025-24338

A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html

Configurations

No configuration.

History

02 May 2025, 13:53

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en la funcionalidad “Administra datos de la aplicación” de la aplicación web de ctrlX OS permite a un atacante remoto autenticado (con pocos privilegios) ejecutar código arbitrario del lado del cliente en el contexto del navegador de otro usuario a través de múltiples solicitudes HTTP manipuladas.

30 Apr 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-30 11:15

Updated : 2025-05-02 13:53

NVD link : CVE-2025-24338

Mitre link : CVE-2025-24338

CVE.ORG link : CVE-2025-24338

JSON object : View

Products Affected

No product.

CWE

CWE-116

Improper Encoding or Escaping of Output

7.1 /10