exploitDog

CVE-2019-16925

Опубликовано: 28 сент. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access

Ссылки

https://fatihhcelik.blogspot.com/2019/09/flower-100-has-xss-via-name-parameter.html
Exploit
Third Party Advisory
https://fatihhcelik.blogspot.com/2019/09/flower-100-has-xss-via-name-parameter.html
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:flower_project:flower:1.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 47%

0.0024

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-q2hg-9256-vrxm

CVSS3: 6.1

github

больше 3 лет назад

Flower 1.0.0 has XSS via the name parameter in an @app.task call.

EPSS

Процентиль: 47%

0.0024

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79