CVE-2024-6361 - Vulnerability Details - OpenCVE

Improper Neutralization vulnerability (XSS) has been discovered in OpenText™ ALM Octane. The vulnerability affects all version prior to version 23.4. The vulnerability could cause remote code execution attack.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Opentext	Alm Octane

Configuration 1 [-]

cpe:2.3:a:opentext:alm_octane:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://portal.microfocus.com/s/article/KM000032605?language=en_US

History

Wed, 28 Aug 2024 18:45:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Tue, 06 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opentext Opentext alm Octane
CPEs		cpe:2.3:a:opentext:alm_octane::::::::
Vendors & Products		Opentext Opentext alm Octane
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: OpenText

Published: 2024-08-05T18:22:14.283Z

Updated: 2024-11-01T17:44:47.667Z

Reserved: 2024-06-26T20:35:12.099Z

Link: CVE-2024-6361

Vulnrichment

Updated: 2024-08-06T20:02:48.820Z

NVD

Status : Analyzed

Published: 2024-08-05T19:15:38.333

Modified: 2024-08-28T18:17:35.497

Link: CVE-2024-6361

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6361", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "state": "PUBLISHED", "assignerShortName": "OpenText", "dateReserved": "2024-06-26T20:35:12.099Z", "datePublished": "2024-08-05T18:22:14.283Z", "dateUpdated": "2024-11-01T17:44:47.667Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ALM Octane.", "vendor": "OpenText\u2122", "versions": [{"lessThan": "23.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Vaibhav Kumar Srivastava (Esecforte Technologies Pvt. Ltd.)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane. The vulnerability affects all version prior to version 23.4. </span><span style=\"background-color: rgb(255, 255, 255);\">The vulnerability could cause remote code execution attack.</span>\n\n<br>"}], "value": "Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane. The vulnerability affects all version prior to version 23.4.\u00a0The vulnerability could cause remote code execution attack."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 7.3, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:A/V:C/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2024-11-01T17:44:47.667Z"}, "references": [{"url": "https://portal.microfocus.com/s/article/KM000032605?language=en_US"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000032605\">https://portal.microfocus.com/s/article/KM000032605</a>"}], "value": "https://portal.microfocus.com/s/article/KM000032605"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane product.", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "opentext", "product": "alm_octane", "cpes": ["cpe:2.3:a:opentext:alm_octane:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "23.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T19:58:13.768687Z", "id": "CVE-2024-6361", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:03:29.112Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6361", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-06T19:58:13.768687Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:opentext:alm_octane:*:*:*:*:*:*:*:*"], "vendor": "opentext", "product": "alm_octane", "versions": [{"status": "affected", "version": "0", "lessThan": "23.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:02:48.820Z"}}], "cna": {"title": "Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane product.", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Vaibhav Kumar Srivastava (Esecforte Technologies Pvt. Ltd.)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 7.3, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:A/V:C/RE:M/U:Red", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenText\u2122", "product": "ALM Octane.", "versions": [{"status": "affected", "version": "0", "lessThan": "23.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "https://portal.microfocus.com/s/article/KM000032605", "supportingMedia": [{"type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000032605\">https://portal.microfocus.com/s/article/KM000032605</a>", "base64": false}]}], "references": [{"url": "https://portal.microfocus.com/s/article/KM000032605?language=en_US"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane. The vulnerability affects all version prior to version 23.4.\u00a0The vulnerability could cause remote code execution attack.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane. The vulnerability affects all version prior to version 23.4. </span><span style=\"background-color: rgb(255, 255, 255);\">The vulnerability could cause remote code execution attack.</span>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "OpenText", "dateUpdated": "2024-11-01T17:44:47.667Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6361", "state": "PUBLISHED", "dateUpdated": "2024-11-01T17:44:47.667Z", "dateReserved": "2024-06-26T20:35:12.099Z", "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "datePublished": "2024-08-05T18:22:14.283Z", "assignerShortName": "OpenText"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentext:alm_octane:*:*:*:*:*:*:*:*", "matchCriteriaId": "107C8D81-928E-491C-99E5-F52C2B43B332", "versionEndExcluding": "23.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization vulnerability (XSS) has been discovered in OpenText\u2122 ALM Octane. The vulnerability affects all version prior to version 23.4.\u00a0The vulnerability could cause remote code execution attack."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de neutralizaci\u00f3n incorrecta (XSS) en OpenText\u2122 ALM Octane. La vulnerabilidad afecta a todas las versiones anteriores a la versi\u00f3n 23.4. La vulnerabilidad podr\u00eda provocar un ataque de ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2024-6361", "lastModified": "2024-08-28T18:17:35.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NO", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "RED", "recovery": "AUTOMATIC", "safety": "NEGLIGIBLE", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:C/RE:M/U:Red", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2024-08-05T19:15:38.333", "references": [{"source": "security@opentext.com", "tags": ["Vendor Advisory"], "url": "https://portal.microfocus.com/s/article/KM000032605?language=en_US"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@opentext.com", "type": "Secondary"}]}