exploitDog

GHSA-rrgw-3hg3-9x8c

Опубликовано: 12 янв. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.9

Описание

XSS vulnerability in translations

Summary

An attacker with admin privileges and access to Translations management functionality may add JS payload to translation values via:

Translation management UI.
Translations downloaded via the Crowdin service may also contain JS strings used for XSS attacks, for a successful attack poisoned translation should be enabled, downloaded, and installed.
Translations uploaded via Upload translation file on the All Languages grid

Workarounds

There are no workarounds that address this vulnerability.

Ссылки

https://github.com/oroinc/platform-er/security/advisories/GHSA-rrgw-3hg3-9x8c

Пакеты

Наименование

oro/platform

composer

Затронутые версииВерсия исправления

>= 3.1.0, < 3.1.29

3.1.29

Наименование

oro/platform

composer

Затронутые версииВерсия исправления

>= 4.1.0, < 4.1.17

4.1.17

Наименование

oro/platform

composer

Затронутые версииВерсия исправления

>= 4.2.0, < 4.2.8

4.2.8

6.9 Medium

CVSS3

6.9 Medium

CVSS3