CVE-2024-39926
MEDIUMVaultwarden 1.30.3 - Authenticated Stored Cross-Site Scripting in Admin Dashboard
Title source: llmDescription
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.
References (3)
Core 3
Core References
Product
https://github.com/dani-garcia/vaultwarden/blob/1.30.3/src/static/scripts/admin_users.js#L201
Exploit, Third Party Advisory
https://www.mgm-sp.com/cve/html-injection-in-vaultwarden
Scores
CVSS v3
5.4
EPSS
0.0043
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
dani-garcia/vaultwarden
1.30.3
Published
Sep 13, 2024
Tracked Since
Feb 18, 2026