CVE-2024-36819

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929	Patch
https://github.com/RamonSilva20/mapos/tree/master	Product
https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929	Patch
https://github.com/RamonSilva20/mapos/tree/master	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:mapos:map-os:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-06-25 19:15

Updated : 2025-07-03 16:28

NVD link : CVE-2024-36819

Mitre link : CVE-2024-36819

CVE.ORG link : CVE-2024-36819

JSON object : View

Products Affected

mapos

map-os

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-36819", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-06-25T19:15:11.837", "references": [{"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/RamonSilva20/mapos/tree/master", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/RamonSilva20/mapos/commit/3559bae4782162faab94670f503fd35b0f331929", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/RamonSilva20/mapos/tree/master", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the \"Client Name\" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee dashboards, resulting in unauthorized script execution whenever the dashboard is loaded."}, {"lang": "es", "value": "MAP-OS 4.45.0 y versiones anteriores son vulnerables a Cross-Site Scripting (XSS). Esta vulnerabilidad permite a usuarios malintencionados insertar un payload malicioso en la entrada \"Nombre del cliente\". Cuando se crea una orden de servicio de este cliente, el payload malicioso se muestra en los paneles de administrador y de empleado, lo que resulta en la ejecuci\u00f3n de scripts no autorizados cada vez que se carga el panel."}], "lastModified": "2025-07-03T16:28:57.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mapos:map-os:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "973182C1-3AA2-453F-ADF9-D1223CB11765", "versionEndIncluding": "4.45.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}