CVE-2024-28128 - Vulnerability Details - OpenCVE

Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cleancoder	Fitnesse

Configuration 1 [-]

cpe:2.3:a:cleancoder:fitnesse:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://fitnesse.org/FitNesseDownload
https://github.com/unclebob/fitnesse
https://github.com/unclebob/fitnesse/blob/master/SECURITY.md
https://jvn.jp/en/jp/JVN94521208/

History

Thu, 20 Mar 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cleancoder Cleancoder fitnesse
CPEs		cpe:2.3:a:cleancoder:fitnesse::::::::
Vendors & Products		Cleancoder Cleancoder fitnesse

Thu, 20 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2024-03-18T07:31:34.749Z

Updated: 2025-03-20T19:10:27.895Z

Reserved: 2024-03-06T08:57:24.421Z

Link: CVE-2024-28128

Vulnrichment

Updated: 2024-08-02T00:48:48.936Z

NVD

Status : Modified

Published: 2024-03-18T08:15:06.400

Modified: 2025-03-20T19:15:28.360

Link: CVE-2024-28128

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28128", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2024-03-06T08:57:24.421Z", "datePublished": "2024-03-18T07:31:34.749Z", "dateUpdated": "2025-03-20T19:10:27.895Z"}, "containers": {"cna": {"affected": [{"vendor": "unclebob", "product": "FitNesse", "versions": [{"version": "releases prior to 20220319", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en", "type": "text"}]}], "references": [{"url": "https://github.com/unclebob/fitnesse"}, {"url": "http://fitnesse.org/FitNesseDownload"}, {"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"}, {"url": "https://jvn.jp/en/jp/JVN94521208/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-03-18T07:31:34.749Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-20T15:28:48.322618Z", "id": "CVE-2024-28128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T19:10:27.895Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.936Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/unclebob/fitnesse", "tags": ["x_transferred"]}, {"url": "http://fitnesse.org/FitNesseDownload", "tags": ["x_transferred"]}, {"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN94521208/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/unclebob/fitnesse", "tags": ["x_transferred"]}, {"url": "http://fitnesse.org/FitNesseDownload", "tags": ["x_transferred"]}, {"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN94521208/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.936Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-28128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-20T15:28:48.322618Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:19.059Z"}}], "cna": {"affected": [{"vendor": "unclebob", "product": "FitNesse", "versions": [{"status": "affected", "version": "releases prior to 20220319"}]}], "references": [{"url": "https://github.com/unclebob/fitnesse"}, {"url": "http://fitnesse.org/FitNesseDownload"}, {"url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"}, {"url": "https://jvn.jp/en/jp/JVN94521208/"}], "descriptions": [{"lang": "en", "value": "Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Cross-site scripting (XSS)"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2024-03-18T07:31:34.749Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28128", "state": "PUBLISHED", "dateUpdated": "2025-03-20T19:10:27.895Z", "dateReserved": "2024-03-06T08:57:24.421Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2024-03-18T07:31:34.749Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cleancoder:fitnesse:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF13B921-D37A-4163-B676-B56F7AA5587C", "versionEndExcluding": "20220319", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting vulnerability exists in FitNesse releases prior to 20220319, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter."}, {"lang": "es", "value": "Existe una vulnerabilidad de cross-site scripting en las versiones de FitNesse anteriores a 20220319, lo que puede permitir que un atacante remoto no autenticado ejecute un script arbitrario en el navegador web del usuario que utiliza el producto y accede a un enlace con un determinado par\u00e1metro especialmente manipulado."}], "id": "CVE-2024-28128", "lastModified": "2025-03-20T19:15:28.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-18T08:15:06.400", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Product", "Release Notes"], "url": "http://fitnesse.org/FitNesseDownload"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://github.com/unclebob/fitnesse"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN94521208/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Release Notes"], "url": "http://fitnesse.org/FitNesseDownload"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/unclebob/fitnesse"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/unclebob/fitnesse/blob/master/SECURITY.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN94521208/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}