Описание
Cross-site scripting in TotalJS
A stored cross-site scripting (XSS) vulnerability in TotalJS allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-30094
- https://github.com/totaljs/flow/issues/100
- https://github.com/totaljs/framework4/commit/e2cea690c3fe4453e94da896a69f832511f65179
- https://www.edoardoottavianelli.it/CVE-2023-30094
- https://www.youtube.com/watch?v=8VbTm2sIdBE
- https://www.youtube.com/watch?v=vOb9Fyg3iVo
Пакеты
Наименование
total4
npm
Затронутые версииВерсия исправления
< 0.0.81
0.0.81
Связанные уязвимости
CVSS3: 5.4
nvd
почти 3 года назад
A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.