CVE-2024-33326
MEDIUM EXPLOITED NUCLEILumisxp 15.0.x-16.1.x - Cross-Site Scripting via lumPageID Parameter
Title source: llmExploitation Summary
CVE-2024-33326 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
A cross-site scripting (XSS) vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter.
Nuclei Templates (1)
LumisXP - Cross-site Scripting
MEDIUMVERIFIEDby 0xr2r
References (2)
Core 2
Core References
Various Sources
https://gist.github.com/rodnt/51ae2897abfff1bdcedccf72edbf3d24
Mailing List mailing-list
http://seclists.org/fulldisclosure/2024/Jul/10
Scores
CVSS v3
6.1
EPSS
0.0081
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2025-09-25
CWE
CWE-79
Status
published
Published
Jun 26, 2024
Tracked Since
Feb 18, 2026