CVE-2019-13645

Опубликовано: 18 июл. 2019

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability

Ссылки

https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa
Patch
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/issues/2337
Exploit
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa
Patch
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/issues/2337
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:firefly-iii:firefly_iii:*:*:*:*:*:*:*:*

Версия до 4.7.17.3 (исключая)

EPSS

Процентиль: 51%

0.00281

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-5hpw-vcj2-prwg