Vulnerability Description
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Passbolt | Passbolt Api | < 4.6.2 |
Related Weaknesses (CWE)
References
- https://help.passbolt.com/incidents/reflective-html-injection-vulnerabilityIssue TrackingVendor Advisory
- https://www.passbolt.com/incidentsIssue TrackingVendor Advisory
- https://www.passbolt.com/security/moreProduct
- https://help.passbolt.com/incidents/reflective-html-injection-vulnerabilityIssue TrackingVendor Advisory
- https://www.passbolt.com/incidentsIssue TrackingVendor Advisory
- https://www.passbolt.com/security/moreProduct
FAQ
What is CVE-2024-33670?
CVE-2024-33670 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as Jav...
How severe is CVE-2024-33670?
CVE-2024-33670 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-33670?
Check the references section above for vendor advisories and patch information. Affected products include: Passbolt Passbolt Api.