CVE-2024-36076

HIGH

SysReptor 2024.28-2024.30 - Cross-Site WebSocket Hijacking

Title source: llm

Description

Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to version 2024.30 causes attackers to escalate privileges and obtain sensitive information when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session.

References (2)

Core 2

Core References

Release Notes

https://github.com/Syslifters/sysreptor/releases/tag/2024.40

Vendor Advisory

https://github.com/Syslifters/sysreptor/security/advisories/GHSA-2vfc-3h43-vghh

Scores

CVSS v3 8.8

EPSS 0.0025

EPSS Percentile 15.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (1)

syslifters/sysreptor 2024.28 - 2024.40

Published May 19, 2024

Tracked Since Feb 18, 2026