Home > Vulnerability Database > CVE-2024-5165

Mend.io Vulnerability Database

CVE-2024-5165

Good to know:

Date: May 23, 2024

In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage to save settings of "environments" of the UI and e.g. the last performed "search queries", resulting in a "Reflected XSS" vulnerability. However, several other inputs were persisted at the backend of Eclipse Ditto, leading to a "Stored XSS" vulnerability. Those mean that authenticated and authorized users at Eclipse Ditto can persist Things in Ditto which can - when being displayed by other users also being authorized to see those Things in the Eclipse Ditto UI - cause scripts to be executed in the browser of other users.

Language: TYPE_SCRIPT

Severity Score

6.5

Related Resources (17)

Url: https://eclipse.dev/ditto/release_notes_356.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-5165

Url: https://github.com/eclipse-ditto/ditto

Url: https://github.com/eclipse-ditto/ditto/commit/8fe1b3b9e0e2c333856dc166c8c3c7d2027c856d

Url: https://eclipse.dev/ditto/release_notes_345.html

Url: https://github.com/eclipse-ditto/ditto/commit/20399a0ab9ef219c7833c24cf8140ddfb298788d

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/207

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/209

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/211

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/210

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/202

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/201

Url: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/204

Url: https://gitlab.eclipse.org/security/cve-assignement/-/issues/23

Url: https://github.com/eclipse-ditto/ditto/commit/cce2e961db08b5d591ef34920c61a0f7e7d810e4

Url: https://github.com/eclipse-ditto/ditto/commit/9d1bac36ca7be94516635ef71eedfea6df1e77f4

Url: https://www.mend.io/vulnerability-database/CVE-2024-5165

Severity Score

6.5

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version 3.4.5,3.5.6

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-5165

Good to know:

Date: May 23, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?