CVE-2024-48228

MEDIUM

funadmin 5.0.2 - Stored Cross-Site Scripting via Attachh.php selectfiles Method

Title source: llm
STIX 2.1

Description

An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).

References (1)

Core 1
Core References

Scores

CVSS v3 6.1
EPSS 0.0027
EPSS Percentile 18.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
funadmin/funadmin 5.0.2
funadmin/funadmin 0Packagist
Published Oct 25, 2024
Tracked Since Feb 18, 2026