Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in DirectAdmin Evolution Skin software
20 December 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-10385
Publication date 20 December 2024
Vendor DirectAdmin
Product DirectAdmin Evolution Skin
Vulnerable versions All before 1.668
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in DirectAdmin Evolution Skin software and participated in coordination of its disclosure.

Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views the ticket, the script might perform actions with their privileges, including command execution.  This issue has been assigned CVE-2024-10385 and was fixed in version 1.668 of DirectAdmin Evolution Skin.

Credits

We thank Dariusz Gońda for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.