CVE-2024-4424 - Vulnerability Details - OpenCVE

The access control in CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0032.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
http://cemi.pl/
https://cert.pl/en/posts/2024/05/CVE-2024-4423/
https://cert.pl/posts/2024/05/CVE-2024-4423/

History

Thu, 13 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-05-09T09:36:58.788Z

Updated: 2025-03-13T18:37:33.936Z

Reserved: 2024-05-02T11:55:32.039Z

Link: CVE-2024-4424

Vulnrichment

Updated: 2024-08-01T20:40:47.178Z

NVD

Status : Deferred

Published: 2024-05-14T15:43:41.587

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-4424

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4424", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-05-02T11:55:32.039Z", "datePublished": "2024-05-09T09:36:58.788Z", "dateUpdated": "2025-03-13T18:37:33.936Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "CemiPark", "vendor": "CEMI Tomasz Pawe\u0142ek", "versions": [{"status": "affected", "version": "4.5"}, {"status": "affected", "version": "4.7"}, {"status": "affected", "version": "5.03"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dariusz Go\u0144da"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The access control in <span style=\"background-color: rgb(255, 255, 255);\">CemiPark software</span> does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.<p>This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.</p>"}], "value": "The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-05-09T09:36:58.788Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"}, {"tags": ["product"], "url": "http://cemi.pl/"}], "source": {"discovery": "UNKNOWN"}, "title": "Stored XSS in CemiPark", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-09T18:32:19.101648Z", "id": "CVE-2024-4424", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-13T18:37:33.936Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:47.178Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"}, {"tags": ["product", "x_transferred"], "url": "http://cemi.pl/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/05/CVE-2024-4423/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "http://cemi.pl/", "tags": ["product", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:40:47.178Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-4424", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T18:32:19.101648Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T18:33:03.841Z"}}], "cna": {"title": "Stored XSS in CemiPark", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Dariusz Go\u0144da"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "CEMI Tomasz Pawe\u0142ek", "product": "CemiPark", "versions": [{"status": "affected", "version": "4.5"}, {"status": "affected", "version": "4.7"}, {"status": "affected", "version": "5.03"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/05/CVE-2024-4423/", "tags": ["third-party-advisory"]}, {"url": "http://cemi.pl/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n", "supportingMedia": [{"type": "text/html", "value": "The access control in <span style=\"background-color: rgb(255, 255, 255);\">CemiPark software</span> does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.<p>This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-05-09T09:36:58.788Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4424", "state": "PUBLISHED", "dateUpdated": "2025-03-13T18:37:33.936Z", "dateReserved": "2024-05-02T11:55:32.039Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-05-09T09:36:58.788Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The access control in\u00a0CemiPark software does not properly validate user-entered data, which allows the stored cross-site scripting (XSS) attack. The parameters used to enter data into the system do not have appropriate validation, which makes possible to smuggle in HTML/JavaScript code. This code will be executed in the user's browser space.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n"}, {"lang": "es", "value": "El control de acceso en el software CemiPark no valida adecuadamente los datos ingresados por el usuario, lo que permite el ataque de Cross Site Scripting (XSS) almacenado. Los par\u00e1metros utilizados para ingresar datos al sistema no cuentan con la validaci\u00f3n adecuada, lo que hace posible el contrabando de c\u00f3digo HTML/JavaScript. Este c\u00f3digo se ejecutar\u00e1 en el espacio del navegador del usuario. Este problema afecta al software CemiPark: 4.5, 4.7, 5.03 y potencialmente a otros. El vendedor se neg\u00f3 a proporcionar la gama espec\u00edfica de productos afectados."}], "id": "CVE-2024-4424", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-14T15:43:41.587", "references": [{"source": "cvd@cert.pl", "url": "http://cemi.pl/"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://cemi.pl/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://cert.pl/posts/2024/05/CVE-2024-4423/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cvd@cert.pl", "type": "Secondary"}]}