CVE-2024-51380
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-51380
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51380.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-51380
- Published
- 2024-11-05T19:15:07Z
- Modified
- 2025-06-27T10:55:57.873945Z
- Summary
- [none]
- Details
-
Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the injected script is executed in the admin's browser, which could lead to unauthorized actions, including account compromise and privilege escalation.
- References
Affected packages
Git / github.com/jatos/jatos
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jatos/jatos
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
g3.*
g3.5.4
j3.*
j3.3.5
n3.*
n3.3.5
v1.*
v1.0alpha
v1.1.1-alpha
v1.1.10-beta
v1.1.11-beta
v1.1.2-alpha
v1.1.3-beta
v1.1.4-beta
v1.1.5-beta
v1.1.6-beta
v1.1.7-beta
v1.1.8-beta
v1.1.9-beta
v1.1alpha
v2.*
v2.1.1-alpha
v2.1.10-beta
v2.1.11-beta
v2.1.12-beta
v2.1.2-alpha
v2.1.3-alpha
v2.1.4-alpha
v2.1.5-beta
v2.1.6-beta
v2.1.7-beta
v2.1.8-beta
v2.1.9-beta
v2.2.1-beta
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v3.*
v3.1.1-beta
v3.1.10
v3.1.11
v3.1.12
v3.1.2-beta
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.1
v3.2.2
v3.2.3
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.4.1
v3.4.2
v3.5.1
v3.5.10
v3.5.11
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.6-alpha
v3.5.7
v3.5.8
v3.5.9
v3.5.9-beta
v3.6.1
v3.7.1
v3.7.1-alpha
v3.7.2
v3.7.3
v3.7.3-alpha
v3.7.4
v3.7.4-alpha
v3.7.5
v3.7.5-alpha
v3.7.6
v3.8.1
v3.8.1-alpha
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.8.5-alpha
v3.8.6
v3.9.1
v3.9.1-alpha
v3.9.2
v3.9.3