CVE-2023-24081 - Vulnerability Details - OpenCVE

Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Go-redrock	Tutortrac

Configuration 1 [-]

cpe:2.3:a:go-redrock:tutortrac:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://brackish.io/tutortrac-multiple-stored-xss/
https://wiki.go-redrock.com/index.php/4.0_Recent_Changes
https://www.go-redrock.com/solutions/tutortrac/

History

Fri, 14 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-21T00:00:00.000Z

Updated: 2025-03-14T18:34:42.432Z

Reserved: 2023-01-23T00:00:00.000Z

Link: CVE-2023-24081

Vulnrichment

Updated: 2024-08-02T10:49:09.031Z

NVD

Status : Modified

Published: 2023-02-21T23:15:11.600

Modified: 2025-03-14T19:15:41.457

Link: CVE-2023-24081

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24081", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-14T18:34:42.432Z", "dateReserved": "2023-01-23T00:00:00.000Z", "datePublished": "2023-02-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-21T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://brackish.io/tutortrac-multiple-stored-xss/"}, {"url": "https://www.go-redrock.com/solutions/tutortrac/"}, {"url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:49:09.031Z"}, "title": "CVE Program Container", "references": [{"url": "https://brackish.io/tutortrac-multiple-stored-xss/", "tags": ["x_transferred"]}, {"url": "https://www.go-redrock.com/solutions/tutortrac/", "tags": ["x_transferred"]}, {"url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-14T18:33:52.045373Z", "id": "CVE-2023-24081", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:34:42.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://brackish.io/tutortrac-multiple-stored-xss/", "tags": ["x_transferred"]}, {"url": "https://www.go-redrock.com/solutions/tutortrac/", "tags": ["x_transferred"]}, {"url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:49:09.031Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-24081", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-14T18:33:52.045373Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-14T18:34:24.187Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://brackish.io/tutortrac-multiple-stored-xss/"}, {"url": "https://www.go-redrock.com/solutions/tutortrac/"}, {"url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes"}], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-21T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24081", "state": "PUBLISHED", "dateUpdated": "2025-03-14T18:34:42.432Z", "dateReserved": "2023-01-23T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-02-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-redrock:tutortrac:*:*:*:*:*:*:*:*", "matchCriteriaId": "72C8C0E8-9B6C-44B4-B42A-0F72246B9AF6", "versionEndExcluding": "4.2.170210", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) almacenadas en Redrock Software TutorTrac anterior a v4.2.170210 permiten a los atacantes ejecutar scripts web arbitrarias o HTML a trav\u00e9s de un payload manipulado inyectado en los campos de motivo y ubicaci\u00f3n de la p\u00e1gina de listado de visitas."}], "id": "CVE-2023-24081", "lastModified": "2025-03-14T19:15:41.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-02-21T23:15:11.600", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://brackish.io/tutortrac-multiple-stored-xss/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.go-redrock.com/solutions/tutortrac/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://brackish.io/tutortrac-multiple-stored-xss/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://wiki.go-redrock.com/index.php/4.0_Recent_Changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.go-redrock.com/solutions/tutortrac/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}