GHSA-2pwh-52h7-7j84

Опубликовано: 16 апр. 2021

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

JavaScript execution via malicious molfiles (XSS)

Impact

The viewer plugin implementation of <mol:molecule> renders molfile data directly inside a <script> tag without any escaping. Arbitrary JavaScript code can thus be executed in the client browser via crafted molfiles.

Patches

Patched in v0.3.0: Molfile data is now rendered as value of a hidden <input> tag and escaped via JSF's mechanisms.

Workarounds

No workaround available.

Ссылки

Пакеты

Наименование

de.ipb-halle:molecularfaces

maven

Затронутые версииВерсия исправления

< 0.3.0

0.3.0

EPSS

Процентиль: 83%

0.01935

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2024-0758

Дефекты

CWE-79

Связанные уязвимости

CVE-2024-0758

CVSS3: 6.1

nvd

около 2 лет назад

MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles.

EPSS

Процентиль: 83%

0.01935

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2024-0758

Дефекты

CWE-79