GHSA-4h72-34j6-j8x7

Опубликовано: 18 дек. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Maloja error page XSS vulnerability

Impact

The error page for a missing path echoes the path back to the user. If this contains HTML, an attacker could execute a script on the user's machine inside the Maloja context and perform authorized actions like scrobbling or deleting scrobbles. This does not affect the security of your server. The exploit is purely client-side. Since there is very little incentive to mess with your scrobble data and it requires very specific targeting (an attacker would have to send a user a link to their own server), the severity rating might be misleading.

Patches

The Vulnerability is patched in 3.2.2

Ссылки

https://github.com/krateng/maloja/security/advisories/GHSA-4h72-34j6-j8x7
https://github.com/krateng/maloja/commit/febaff97228b37a192f2630aa331cac5e5c3e98e

Пакеты

Наименование

malojaserver

pip

Затронутые версииВерсия исправления

< 3.2.2

3.2.2

5.4 Medium

CVSS3

Дефекты

CWE-79

5.4 Medium

CVSS3

Дефекты

CWE-79