Опубликовано: 26 июл. 2022
Источник: github
Github: Прошло ревью
CVSS4: 5.3
CVSS3: 6.1
Описание
Fava time and filter parameters vulnerable to reflected Cross-site Scripting
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-2514
- https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
- https://github.com/advisories/GHSA-xrf4-39fm-j5f2
- https://github.com/pypa/advisory-database/tree/main/vulns/fava/PYSEC-2022-239.yaml
- https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
Пакеты
Наименование
fava
pip
Затронутые версииВерсия исправления
< 1.22
1.22
Связанные уязвимости
CVSS3: 6.1
ubuntu
больше 3 лет назад
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
CVSS3: 6.1
nvd
больше 3 лет назад
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
CVSS3: 6.1
debian
больше 3 лет назад
The time and filter parameters in Fava prior to v1.22 are vulnerable t ...