Miggo Logo
Miggo Vulnerability Database
CVE-2024-27609

CVE-2024-27609: Bonita cross-site scripting vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27609
GHSA ID
GHSA-8vj9-5v5q-fhch
EPSS Score
0.14395%
CWE
CWE-79
Published
4/1/2024
Updated
11/8/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.bonitasoft.console:bonita-web-servermaven< 10.1.0.W1110.1.0.W11
org.bonitasoft.platform:platform-resourcesmaven< 10.1.0.W1110.1.0.W11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from the absence of input sanitization in specific API endpoints handling user input in the administration panel. The provided data primarily shows the fix (adding the SanitizerFilter and enabling it via configuration) but does not explicitly identify the exact pre-patch functions responsible for processing user input without sanitization. The core issue is the lack of sanitization in vulnerable versions, but the specific functions in the affected packages (bonita-web-server and platform-resources) that directly handle the unsanitized input are not named in the provided code diffs or descriptions. Thus, no functions can be confidently identified with high certainty based on the available information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*onit* ***or* **.*.*.W** *llows stor** XSS vi* * UI s*r**n in t** **ministr*tion p*n*l.

Reasoning

T** vuln*r**ility *ris*s *rom t** **s*n** o* input s*nitiz*tion in sp**i*i* *PI *n*points **n*lin* us*r input in t** **ministr*tion p*n*l. T** provi*** **t* prim*rily s*ows t** *ix (***in* t** S*nitiz*r*ilt*r *n* *n**lin* it vi* *on*i*ur*tion) *ut *o