CVE-2020-36644

Опубликовано: 07 янв. 2023

Источник: nvd

CVSS3: 3.5

CVSS3: 6.1

CVSS2: 4

EPSS Низкий

Описание

A vulnerability has been found in jamesmartin Inline SVG up to 1.7.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file lib/inline_svg/action_view/helpers.rb of the component URL Parameter Handler. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.7.2 is able to address this issue. The identifier of the patch is f5363b351508486021f99e083c92068cf2943621. It is recommended to upgrade the affected component. The identifier VDB-217597 was assigned to this vulnerability.

Ссылки

https://github.com/jamesmartin/inline_svg/commit/f5363b351508486021f99e083c92068cf2943621
Patch
https://github.com/jamesmartin/inline_svg/pull/117
Patch
https://github.com/jamesmartin/inline_svg/releases/tag/v1.7.2
Release Notes
https://vuldb.com/?ctiid.217597
Third Party Advisory
VDB Entry
https://vuldb.com/?id.217597
Third Party Advisory
VDB Entry
https://github.com/jamesmartin/inline_svg/commit/f5363b351508486021f99e083c92068cf2943621
Patch
https://github.com/jamesmartin/inline_svg/pull/117
Patch
https://github.com/jamesmartin/inline_svg/releases/tag/v1.7.2
Release Notes
https://vuldb.com/?ctiid.217597
Third Party Advisory
VDB Entry
https://vuldb.com/?id.217597
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:inline_svg_project:inline_svg:*:*:*:*:*:*:*:*

Версия до 1.7.2 (исключая)

EPSS

Процентиль: 71%

0.00661

Низкий

3.5 Low

CVSS3

6.1 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-p33q-4h4m-j994

CVSS3: 6.1

github

около 3 лет назад

Inline SVG vulnerable to Cross-site Scripting

EPSS

Процентиль: 71%

0.00661

Низкий

3.5 Low

CVSS3

6.1 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-79