CVE-2023-2398 β€” Cross-site Scripting in Engage

CWE-79 β€” Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 62.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Icegram Engage
Timeline
PublishedJun 12

Description

The Icegram Engage WordPress plugin before 3.1.12 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

β–ΆNVDicegram/icegram_engage< 3.1.12

πŸ”΄Vulnerability Details

2
CVEList
Icegram Engage < 3.1.12 - Reflected XSS↗2023-06-12
β–Ά
GHSA
GHSA-43qj-8555-mr85: The Icegram Engage WordPress plugin before 3β†—2023-06-12
β–Ά
CVE-2023-2398 β€” Cross-site Scripting in Icegram Engage | cvebase