CVE-2024-3378

MEDIUM EXPLOITED NUCLEI

iboss Secure Web Gateway <10.1 - XSS

Title source: llm

Exploitation Summary

CVE-2024-3378 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and arbitrary file deletion vulnerabilities. The PoCs are well-structured and include specific HTTP requests to exploit the vulnerabilities.

Description

A vulnerability has been found in iboss Secure Web Gateway up to 10.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login of the component Login Portal. The manipulation of the argument redirectUrl leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.2.0.160 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259501 was assigned to this vulnerability.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-3378.md

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and arbitrary file deletion vulnerabilities. The PoCs are well-structured and include specific HTTP requests to exploit the vulnerabilities.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

iboss Secure Web Gateway - Stored Cross-Site Scripting

MEDIUMVERIFIEDby s4e-io

Shodan: html:"iboss-font.css"

FOFA: body="iboss-font.css"

References (4)

Core 4

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.259501

Permissions Required signature permissions-required

https://vuldb.com/?ctiid.259501

Third Party Advisory third-party-advisory

https://vuldb.com/?submit.310642

Exploit, Third Party Advisory exploit

https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md

View Exploit ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.2200

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-12-10

CWE

CWE-79

Status published

Products (1)

iboss/secure_web_gateway < 10.2.0.160

Published Apr 06, 2024

Tracked Since Feb 18, 2026