CVE-2024-48228: Funadmin Cross-site Scripting vulnerability

October 26, 2024 (updated October 28, 2024)

An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).

References

github.com/advisories/GHSA-j9wp-x5q5-xh2f
github.com/funadmin/funadmin
github.com/funadmin/funadmin/issues/31
nvd.nist.gov/vuln/detail/CVE-2024-48228

Code Behaviors & Features

Detect and mitigate CVE-2024-48228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →