Unauthenticated XSS vulnerability in Norman's public API endpoint can lead to remote code execution

CVE-2023-32193

8.3HIGH

Key Information

Vendor: Suse
Status: Norman
Vendor: CVE Published:; 16 October 2024

Summary

A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.

Affected Version(s)

norman < 0.0.0-20240207153100-3bb70b772b52

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
May 4, 2023

Collectors

NVD DatabaseMitre Database

Credit

https://github.com/diego95root

https://github.com/kujalamathias