CVE-2024-35352 - Vulnerability Details - OpenCVE

A vulnerability has been discovered in Diño Physics School Assistant version 2.3. This vulnerability impacts unidentified code within the file /classes/Users.php?f=save. Manipulating the parameter middlename results in cross-site scripting.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dino Physics School Assistant Project	Dino Physics School Assistant

Configuration 1 [-]

cpe:2.3:a:dino_physics_school_assistant_project:dino_physics_school_assistant:2.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://vuln.pentester.stream/pentester-vulnerability-research/post/2298742/vuln7-stored-cross-site-scripting-xss

History

Fri, 11 Apr 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dino Physics School Assistant Project Dino Physics School Assistant Project dino Physics School Assistant
CPEs		cpe:2.3:a:dino_physics_school_assistant_project:dino_physics_school_assistant:2.3:::::::*
Vendors & Products		Dino Physics School Assistant Project Dino Physics School Assistant Project dino Physics School Assistant

Mon, 19 Aug 2024 15:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:dino_physics_school_assistant:dino_physics_school_assistant:2.3:::::::*
Vendors & Products	Dino Physics School Assistant Dino Physics School Assistant dino Physics School Assistant
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-05-30T16:08:16.773Z

Updated: 2025-02-13T15:54:14.971Z

Reserved: 2024-05-17T00:00:00.000Z

Link: CVE-2024-35352

Vulnrichment

Updated: 2024-08-02T03:07:46.981Z

NVD

Status : Analyzed

Published: 2024-05-30T17:15:33.480

Modified: 2025-04-11T15:16:59.147

Link: CVE-2024-35352

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-35352", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-13T15:54:14.971Z", "datePublished": "2024-05-30T16:08:16.773Z", "dateReserved": "2024-05-17T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-30T16:08:17.131Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Di\u00f1o Physics School Assistant version 2.3. This vulnerability impacts unidentified code within the file /classes/Users.php?f=save. Manipulating the parameter middlename results in cross-site scripting."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://vuln.pentester.stream/pentester-vulnerability-research/post/2298742/vuln7-stored-cross-site-scripting-xss"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "affected": [{"vendor": "dino_physics_school_assistant_project", "product": "dino_physics_school_assistant", "cpes": ["cpe:2.3:a:dino_physics_school_assistant_project:dino_physics_school_assistant:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.3", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-30T19:17:02.805636Z", "id": "CVE-2024-35352", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T14:40:49.578Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.981Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuln.pentester.stream/pentester-vulnerability-research/post/2298742/vuln7-stored-cross-site-scripting-xss", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuln.pentester.stream/pentester-vulnerability-research/post/2298742/vuln7-stored-cross-site-scripting-xss", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.981Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-35352", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-30T19:17:02.805636Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dino_physics_school_assistant_project:dino_physics_school_assistant:*:*:*:*:*:*:*:*"], "vendor": "dino_physics_school_assistant_project", "product": "dino_physics_school_assistant", "versions": [{"status": "affected", "version": "2.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-30T19:23:06.278Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://vuln.pentester.stream/pentester-vulnerability-research/post/2298742/vuln7-stored-cross-site-scripting-xss"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in Di\u00f1o Physics School Assistant version 2.3. This vulnerability impacts unidentified code within the file /classes/Users.php?f=save. Manipulating the parameter middlename results in cross-site scripting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-30T16:08:17.131115"}}}, "cveMetadata": {"cveId": "CVE-2024-35352", "state": "PUBLISHED", "dateUpdated": "2024-08-19T14:40:49.578Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre"}, "dataVersion": "5.1"}