How severe is CVE-2024-34070?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.6 out of 10.

What type of vulnerability is CVE-2024-34070?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2024-34070 - CRITICAL Severity | CVSS 9.6

Vulnerability Description

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.

Related Vulnerabilities

CVE-2011-3642

CRITICAL

CVSS:9.6(Critical)

Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web scr...

CWE-792011

CVE-2014-5039

CRITICAL

CVSS:9.6(Critical)

Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE-792014

CVE-2015-10073

CRITICAL

CVSS:9.6(Critical)

A vulnerability, which was classified as problematic, was found in tinymighty WikiSEO 1.2.1 on MediaWiki. This affects the function modifyHTML of the file WikiSEO.body.php of the component Meta Proper...

CWE-792015

CVE-2015-20105

CRITICAL

CVSS:9.6(Critical)

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due t...

CWE-792015

CVE-2018-18864

CRITICAL

CVSS:9.6(Critical)

Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache HTTP Server logs are displayed.

CWE-792018

CVE-2019-13363

CRITICAL

CVSS:9.6(Critical)

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail&...

CWE-792019