CVE-2024-28734

MEDIUM EXPLOITED NUCLEI

Coda v.2024Q1 - Cross-Site Scripting

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2024-28734 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to demonstrate the vulnerability.

Description

Cross Site Scripting vulnerability in Unit4 Financials by Coda prior to 2023Q4 allows a remote attacker to run arbitrary code via a crafted GET request using the cols parameter.

Exploits (1)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-28734.md

This repository contains functional proof-of-concept exploits for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes HTTP requests or commands to demonstrate the vulnerability.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Coda v.2024Q1 - Cross-Site Scripting
MEDIUMby s4e-io

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0179
EPSS Percentile 75.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2024-04-27
CWE
CWE-79
Status published
Published Mar 19, 2024
Tracked Since Feb 18, 2026