Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-6xcx-gx7r-rccj

Опубликовано: 15 авг. 2023
Источник: github
Github: Прошло ревью
CVSS3: 6.1

Описание

Scancode.io Reflected Cross-Site Scripting (XSS) in license endpoint

Summary

In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist.

Details

In the /license/ endpoint, the license_details_view function is vulnerable to a potential cross-site scripting (XSS) attack due to inadequate validation and sanitization of the key parameter. This vulnerability arises when attempting to access a key with malicious javascript.

def license_details_view(request, key): """ Display all available information about a given license `key` followed by the full license text. """ licenses = get_licenses() try: data = saneyaml.dump(licenses[key].to_dict()) text = licenses[key].text except KeyError: return HttpResponseNotFound(f"License {key} not found.") # Leads to cross-site scripting when key is malicious javascript return HttpResponse(f"<pre>{data}</pre><hr><pre>{text}</pre>")

PoC

  1. Access following endpoint on scancode.io instance: http://localhost/license/%3Cscript%3Ealert(document.cookie);%3C/script%3E/

Impact

Attackers can exploit the vulnerability to inject malicious scripts into the response generated by the license_details_view function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information.

Ссылки

Пакеты

Наименование

scancodeio

pip
Затронутые версииВерсия исправления

<= 32.5.1

32.5.2

EPSS

Процентиль: 64%
0.00473
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2023-40024

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2023-40024

CVSS3: 5.4
nvd
больше 2 лет назад

ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

fstec логотип

BDU:2023-06646

CVSS3: 5.4
fstec
больше 2 лет назад

Уязвимость функции license_details_view инструмента сканирования и анализа открытого исходного кода программного обеспечения ScanCode.io, позволяющая нарушителю выполнить атаку межсайтового скриптинга (XSS)

EPSS

Процентиль: 64%
0.00473
Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2023-40024

Дефекты

CWE-79