CVE-2024-45799

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-45799

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45799.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-45799

Aliases

GHSA-xvqv-25vf-88g4

Published

2024-09-16T18:31:02.504Z

Modified

2025-11-30T06:19:30.146891Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Javascript Injection in Vending Info/Buyers Info Module in FluxCP

Details

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45799.json"
}

References

Affected packages

Git / github.com/rathena/fluxcp

Affected ranges

Type: GIT
Repo: https://github.com/rathena/fluxcp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

54de88167fb757691cdc39d6f9c0f733e4d310ad

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45799.json"