Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qOXdwLXg1cTUteGgyZs4ABAra
Funadmin Cross-site Scripting vulnerability
An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOXdwLXg1cTUteGgyZs4ABAra
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 12 days ago
Updated: 10 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-j9wp-x5q5-xh2f, CVE-2024-48228
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-48228
- https://github.com/funadmin/funadmin/issues/31
- https://github.com/advisories/GHSA-j9wp-x5q5-xh2f
Blast Radius: 1.0
Affected Packages
packagist:funadmin/funadmin
Dependent packages: 0Dependent repositories: 0
Downloads: 764 total
Affected Version Ranges: <= 5.0.2
No known fixed version
All affected versions: 1.5.0, 2.1.0, 2.2.6, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 5.0.0, 5.0.1, 5.0.2