Home > Vulnerability Database > CVE-2024-33670

Mend.io Vulnerability Database

CVE-2024-33670

Date: April 25, 2024

Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.

Language: PHP

Severity Score

4.3

Related Resources (6)

Url: https://www.passbolt.com/incidents

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-33670

Url: https://help.passbolt.com/incidents/reflective-html-injection-vulnerability

Url: https://github.com/passbolt/passbolt_api/commit/5c537849040990086dcd5013b5bb009e1dad3fb6

Url: https://www.passbolt.com/security/more

Url: https://www.mend.io/vulnerability-database/CVE-2024-33670

Severity Score

4.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-33670

Date: April 25, 2024

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?