Описание
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- Product
- ExploitVendor Advisory
- ExploitThird Party AdvisoryVDB Entry
- Product
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 6.75 (исключая)
cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
EPSS
Процентиль: 37%
0.00158
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
больше 2 лет назад
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.
EPSS
Процентиль: 37%
0.00158
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79