CVE-2024-36494

MEDIUM

Scan2Net < 7.42B - Stored Cross-Site Scripting via -tsetup+-uuser Parameter

Title source: llm
STIX 2.1

Description

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The login page at /cgi/slogin.cgi suffers from XSS due to improper input filtering of the -tsetup+-uuser parameter, which can only be exploited if the target user is not already logged in. This makes it ideal for login form phishing attempts.

References (3)

Core 3
Core References
Various Sources third-party-advisory
https://r.sec-consult.com/imageaccess

Scores

CVSS v3 4.7
EPSS 0.0047
EPSS Percentile 37.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Image Access GmbH/Scan2Net < 7.42B
Published Dec 12, 2024
Tracked Since Feb 18, 2026