Cross Site Scripting Vulnerability in iboss Secure Web Gateway Could Lead to Remote Exploitation
CVE-2024-3378

6.1MEDIUM

Key Information:

Vendor: Iboss
Status: Secure Web Gateway
Vendor: CVE Published:; 6 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-3378?

A vulnerability has been found in iboss Secure Web Gateway up to 10.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login of the component Login Portal. The manipulation of the argument redirectUrl leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.2.0.160 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259501 was assigned to this vulnerability.

Affected Version(s)

Secure Web Gateway 10.0

Secure Web Gateway 10.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3378 - Proof of Concept

References

https://vuldb.com/?id.259501

vdb-entrytechnical-description

https://vuldb.com/?ctiid.259501

signaturepermissions-required

https://vuldb.com/?submit.310642

third-party-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 6, 2024
👾
Exploit known to exist
Apr 6, 2024
Vulnerability published
Apr 6, 2024
Vulnerability Reserved
Apr 5, 2024

Iboss