{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-6585","assignerOrgId":"027e81ed-0dd4-4685-ab4d-884aec5bb484","state":"PUBLISHED","assignerShortName":"Mandiant","dateReserved":"2024-07-08T21:24:56.349Z","datePublished":"2024-08-30T22:17:28.565Z","dateUpdated":"2024-09-03T14:52:05.350Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://github.com/lightdash/lightdash","defaultStatus":"affected","product":"Lightdash","vendor":"Lightdash","versions":[{"changes":[{"at":"0.1042.2","status":"unaffected"}],"lessThan":"0.1042.2","status":"affected","version":"0.1024.6","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Kenneth Chiong, Mandiant"},{"lang":"en","type":"reporter","value":"Kenneth Chiong, Mandiant"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to inject malicious scripts into vulnerable web pages. A threat actor could potentially exploit this vulnerability to store malicious JavaScript which executes in the context of a user’s session with the application."}],"value":"Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to inject malicious scripts into vulnerable web pages. A threat actor could potentially exploit this vulnerability to store malicious JavaScript which executes in the context of a user’s session with the application."}],"impacts":[{"descriptions":[{"lang":"en","value":"xss"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"027e81ed-0dd4-4685-ab4d-884aec5bb484","shortName":"Mandiant","dateUpdated":"2024-08-30T22:20:44.647Z"},"references":[{"url":"https://github.com/google/security-research/security/advisories/GHSA-6529-6jv3-66q2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-6585"},{"url":"https://github.com/lightdash/lightdash"},{"url":"https://github.com/lightdash/lightdash/releases/tag/0.1042.2"},{"url":"https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9510.patch"},{"url":"https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9359.patch"},{"url":"https://github.com/lightdash/lightdash/pull/9510"},{"url":"https://github.com/lightdash/lightdash/pull/9359"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"lightdash","product":"lightdash","cpes":["cpe:2.3:a:lightdash:lightdash:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0.1024.6","status":"affected","lessThan":"0.1042.2","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":5.4,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-09-03T14:50:48.806492Z","id":"CVE-2024-6585","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-03T14:52:05.350Z"}}]}}