CVE-2019-13647

Опубликовано: 18 июл. 2019

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability

Ссылки

https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa
Patch
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/issues/2338
Exploit
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa
Patch
Third Party Advisory
https://github.com/firefly-iii/firefly-iii/issues/2338
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:firefly-iii:firefly_iii:*:*:*:*:*:*:*:*

Версия до 4.7.17.3 (исключая)

EPSS

Процентиль: 43%

0.00206

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-pcxq-28f6-m3fm