Описание
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Ссылки
- Product
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2025.3.0 (исключая)
cpe:2.3:a:xwiki:cryptpad:*:*:*:*:*:*:*:*
EPSS
Процентиль: 8%
0.00031
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-692
EPSS
Процентиль: 8%
0.00031
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-692