CVE-2024-48761
Published: 29 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-48761 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in Celk Sistemas Celk Saude version 3.1.252.1. The flaw enables a remote attacker to inject arbitrary JavaScript code via the "erro" parameter, as published on 2025-01-29 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by any remote attacker requiring no privileges or authentication, accessible over the network with low attack complexity, though it demands user interaction such as clicking a malicious link. Successful exploitation allows high-impact consequences on confidentiality, integrity, and availability, potentially enabling attackers to steal sensitive data like session tokens, perform account takeovers, or execute other client-side attacks within the victim's browser context.
References direct to a GitHub repository at https://github.com/gabriel-bri/vulnerability-research/tree/main/CVE-2024-48761, maintained by vulnerability researcher gabriel-bri, which contains details on the issue but no vendor-specific advisories or patch information are provided in the available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS vulnerability in the web application allows remote attackers to inject and execute arbitrary JavaScript code in victims' browsers, directly enabling exploitation of public-facing applications.