cbcvebase.
CVE-2024-33326
published 2024-06-26

CVE-2024-33326: A cross-site scripting (XSS) vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.81%
52.3th percentile
A cross-site scripting (XSS) vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter.

Detection & IOCsextracted from sources · hover to see the quote

path/portal/XsltResultControllerHtml.jsp
path/XsltResultControllerHtml.jsp
url/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=confirm(document.domain)&xslContentFilePath=
url/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=confirm(document.domain)&xslContentFilePath=
  • Detect GET requests to XsltResultControllerHtml.jsp with a crafted lumPageId parameter containing JavaScript payload (e.g., confirm(document.domain)); response body will reflect the injected payload verbatim.
  • Exploitation targets the lumPageID (also seen as lumPageId) parameter in XsltResultControllerHtml.jsp; monitor HTTP GET requests to this endpoint with unsanitized script content in that parameter.
  • Vulnerable responses set a cookie prefixed with 'lum' and return Content-Type text/html with HTTP 200; use this combination to confirm exploitation.
  • ·The vulnerability affects LumisXP versions 15.0.x through 16.1.x only; detections should be scoped to this version range to reduce false positives.
  • ·The endpoint may be accessible at two different paths (/portal/XsltResultControllerHtml.jsp and /XsltResultControllerHtml.jsp); detection rules should cover both paths.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.