CVE-2024-28734

MEDIUM EXPLOITED NUCLEI

Coda v.2024Q1 - Cross-Site Scripting

Title source: nuclei

Description

Cross Site Scripting vulnerability in Unit4 Financials by Coda prior to 2023Q4 allows a remote attacker to run arbitrary code via a crafted GET request using the cols parameter.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-28734.md

View Code ZIP pw:eip

Nuclei Templates (1)

Coda v.2024Q1 - Cross-Site Scripting

MEDIUMby s4e-io

References (3)

[Various Sources] https://www.unit4.com/

[Various Sources] https://www.unit4.com/products/financial-management-software

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/177619/Financials-By-Coda-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.1135

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

Details

VulnCheck KEV 2024-04-27

CWE

CWE-79

Status published

Published Mar 19, 2024

Tracked Since Feb 18, 2026