CVE-2024-56882

MEDIUM

Sage DPW <2024_12_000 - XSS

Title source: llm

Description

Sage DPW before 2024_12_000 is vulnerable to Cross Site Scripting (XSS). Low-privileged Sage users with employee role privileges can permanently store JavaScript code in the Kurstitel and Kurzinfo input fields. The injected payload is executed for each authenticated user who views and interacts with the modified data elements.

Exploits (1)

nomisec WRITEUP

by trustcves · poc

https://github.com/trustcves/CVE-2024-56882

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://cves.at/posts/cve-cve-2024-56882/writeup/

Scores

CVSS v3 5.4

EPSS 0.0043

EPSS Percentile 62.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

sagedpw/sage_dpw < 2024_12_000

Published Feb 18, 2025

Tracked Since Feb 18, 2026