Unauthenticated XSS vulnerability in Norman's public API endpoint can lead to remote code execution
CVE-2023-32193

8.3HIGH

Key Information:

Vendor: Suse
Status: Norman
Vendor: CVE Published:; 16 October 2024

Summary

A cross-site scripting vulnerability exists in the public API endpoint of Norman, which allows unauthenticated users to inject malicious JavaScript code. When exploited, this vulnerability enables attackers to execute remote commands, potentially compromising user data and system integrity. This presents significant security risks for organizations utilizing the affected product, as an attacker could manipulate the behavior of web applications and access sensitive information without authorization.

Affected Version(s)

norman 0 < 0.0.0-20240207153100-3bb70b772b52

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32193

https://github.com/rancher/norman/security/advisories/GHS...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
May 4, 2023

Credit

https://github.com/diego95root

https://github.com/kujalamathias