CyberAlerts

CVE-2024-49708

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for setting delivery address with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-49707

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for resetting user's password with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-49706

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Open Redirect attacks by including base64 encoded URLs in the target parameter sent in a POST request to one of the endpoints. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-49705

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise (DoS) attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error message. Since this parameter is sent as part of a session cookie, the issue persists until the session expires or the user deletes cookies manually. Similar effect might be achieved when a user tries to change platform language to an unimplemented one. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-47822

Directus inserts access token from query string into logs

Description: Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string. This vulnerability has been patched in release version 10.13.2 and subsequent releases as well. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: MEDIUM (4.2)

EPSS Score: 0.02%

SSVC Exploitation: poc

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-13598

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. Using a functionality of creating new form fields one creates new parameters vulnerable to XSS attacks. A user tricked into filling such a form with a malicious script will run the code in their's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-13597

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form sent to login panel at /softcom/ with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-10090

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for adding users with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-10089

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

Source: CVE

April 14th, 2025 (7 days ago)

CVE-2024-10088

XSS in iKSORIS

Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a login form with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

Source: CVE

April 14th, 2025 (7 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-49708	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for setting delivery address with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-49707	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for resetting user's password with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-49706	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Open Redirect attacks by including base64 encoded URLs in the target parameter sent in a POST request to one of the endpoints. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.04% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-49705	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise (DoS) attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error message. Since this parameter is sent as part of a session cookie, the issue persists until the session expires or the user deletes cookies manually. Similar effect might be achieved when a user tries to change platform language to an unimplemented one. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.3) EPSS Score: 0.04% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-47822	Directus inserts access token from query string into logs Description: Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string. This vulnerability has been patched in release version 10.13.2 and subsequent releases as well. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVSS: MEDIUM (4.2) EPSS Score: 0.02% SSVC Exploitation: poc Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-13598	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. Using a functionality of creating new form fields one creates new parameters vulnerable to XSS attacks. A user tricked into filling such a form with a malicious script will run the code in their's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-13597	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form sent to login panel at /softcom/ with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-10090	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for adding users with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-10089	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% Source: CVE April 14th, 2025 (7 days ago)
CVE-2024-10088	XSS in iKSORIS Description: Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS (Cross-site Scripting) attacks. An attacker might trick a user into filling a login form with a malicious script, what causes the script to run in user's context. This vulnerability has been patched in version 79.0 CVSS: MEDIUM (5.1) EPSS Score: 0.05% Source: CVE April 14th, 2025 (7 days ago)