CVE-2024-22414
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2024-22414 is a vulnerability in the flaskBlog app, built with Flask, which allows for the execution of arbitrary JavaScript code. This vulnerability is caused by improper storage and rendering of the `/user/<user>` page. The issue lies in the html template `user.html`, specifically in the code snippet `<div class="content" tag="content">{{comment[2]|safe}}</div>`, where the use of the "safe" tag prevents proper content escaping. The recommended remediation is to remove the `|safe` tag from the HTML. No fix is currently available, so users are advised to manually edit their installation. This vulnerability has a base severity rating of MEDIUM and a base score of 5.4 according to NIST's CVSS v3.1 scoring system. It has a low attack complexity and requires low privileges, but user interaction is required for exploitation. The potential danger this vulnerability poses to an organization is relatively moderate, as it can be exploited remotely over a network and could lead to low integrity and confidentiality impacts.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions