CVE-2024-6892
Published: 08 August 2024
Summary
CVE-2024-6892 is a medium-severity Improper Neutralization of Script in an Error Message Web Page (CWE-81) vulnerability in Journyx Journyx. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-6892 is a reflected cross-site scripting vulnerability (CWE-79, CWE-81) in the Journyx web application. Attackers can supply a crafted URL that causes the application to echo attacker-controlled JavaScript back to a victim browser, executing it in the context of the Journyx origin. The flaw carries a CVSS 3.1 score of 6.1 with network attack vector, low complexity, no required privileges, and required user interaction.
An unauthenticated attacker can create a malicious link and deliver it to a Journyx user via email, chat, or another channel. When the recipient clicks the link, arbitrary JavaScript runs inside the Journyx session, enabling actions such as reading or modifying limited application data visible to that user. The reflected nature of the flaw means exploitation succeeds only on direct interaction with the supplied link.
Public advisories from KoreLogic and the Full Disclosure mailing list describe the issue and are available at the referenced URLs; they do not detail vendor patches or configuration work-arounds in the supplied references. The associated EPSS score has remained flat at 0.0751 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47881
Vulnerability details
Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.