CVE-2024-33670

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-33670

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-33670.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-33670

Aliases

GHSA-2pg6-vw9c-qhjv

Published

2024-04-26T01:15:46.573Z

Modified

2026-04-10T05:13:22.407325Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.

References

Affected packages

Git / github.com/passbolt/passbolt_api

Affected ranges

Type

GIT

Repo

https://github.com/passbolt/passbolt_api

Events

Introduced

Fixed

7a80b3fa7bbc34e05e8356a4d3870f8bf459dbd7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.6.2"
        }
    ]
}

Affected versions

v2.*

v2.0.0-rc2

v2.11.0

v2.13.0

v2.13.1

v2.13.5

v2.4

v2.5.0

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.4

v2.9.0

v3.*

v3.1.0

v3.10.0

v3.11.0

v3.11.1

v3.4.0

v3.4.0-1

v3.4.0-2

v3.5.0

v3.5.0-1

v3.6.0

v3.7.0

v3.7.2

v3.7.2-1

v3.7.3

v3.7.3-1

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.1.0

v4.1.1

v4.1.2

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.4.2

v4.5.0

v4.5.2

v4.6.0

v4.6.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-33670.json"