CVE-2024-4310 - Vulnerability Details - OpenCVE

Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ofofonobsdev	Hubbank

Configuration 1 [-]

cpe:2.3:a:ofofonobsdev:hubbank:1.0.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank

History

Wed, 23 Apr 2025 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ofofonobsdev Ofofonobsdev hubbank
CPEs		cpe:2.3:a:ofofonobsdev:hubbank:1.0.2:::::::*
Vendors & Products		Ofofonobsdev Ofofonobsdev hubbank

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-04-29T12:35:48.526Z

Updated: 2024-08-01T20:33:53.174Z

Reserved: 2024-04-29T10:10:08.692Z

Link: CVE-2024-4310

Vulnrichment

Updated: 2024-08-01T20:33:53.174Z

NVD

Status : Analyzed

Published: 2024-04-29T13:15:32.050

Modified: 2025-04-23T16:35:48.543

Link: CVE-2024-4310

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4310", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-04-29T10:10:08.692Z", "datePublished": "2024-04-29T12:35:48.526Z", "dateUpdated": "2024-08-01T20:33:53.174Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HubBank", "vendor": "Ofofonobs", "versions": [{"status": "affected", "version": "1.0.2"}]}], "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "datePublic": "2024-04-29T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover."}], "value": "Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-04-29T12:35:48.526Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-site Scripting (XSS) vulnerability in HubBank", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4310", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T14:09:34.618241Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ofofonobs:hubbank:1.0.2:*:*:*:*:*:*:*"], "vendor": "ofofonobs", "product": "hubbank", "versions": [{"status": "affected", "version": "1.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:53:53.861Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.174Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:33:53.174Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4310", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-29T14:09:34.618241Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ofofonobs:hubbank:1.0.2:*:*:*:*:*:*:*"], "vendor": "ofofonobs", "product": "hubbank", "versions": [{"status": "affected", "version": "1.0.2"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T14:05:10.955Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Cross-site Scripting (XSS) vulnerability in HubBank", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "David Ut\u00f3n Amaya (m3n0sd0n4ld)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ofofonobs", "product": "HubBank", "versions": [{"status": "affected", "version": "1.0.2"}], "defaultStatus": "unaffected"}], "datePublic": "2024-04-29T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.", "supportingMedia": [{"type": "text/html", "value": "Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-04-29T12:35:48.526Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4310", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:33:53.174Z", "dateReserved": "2024-04-29T10:10:08.692Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-04-29T12:35:48.526Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ofofonobsdev:hubbank:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "D77CAD6D-B281-4B50-AB0B-D13F84E7A0B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover."}, {"lang": "es", "value": "Vulnerabilidad de cross site scripting (XSS) en HubBank que afecta a la versi\u00f3n 1.0.2. Esta vulnerabilidad permite a un atacante enviar un payload de JavaScript especialmente manipulado a formularios de registro y perfil y activar el payload cuando cualquier usuario autenticado carga la p\u00e1gina, lo que resulta en una toma de control de la sesi\u00f3n."}], "id": "CVE-2024-4310", "lastModified": "2025-04-23T16:35:48.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-29T13:15:32.050", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hubbank"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}