Описание
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| fava | fixed | 1.23.1-1 | package | |
| fava | no-dsa | bullseye | package | |
| fava | no-dsa | buster | package |
Примечания
https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22)
Связанные уязвимости
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
Fava time and filter parameters vulnerable to reflected Cross-site Scripting