6.1
CVE-2017-12097
- EPSS 0.4%
- Veröffentlicht 19.01.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 03:08:49
- Quelle talos-cna@cisco.com
- CVE-Watchlists
- Unerledigt
LoginAn exploitable cross site scripting (XSS) vulnerability exists in the filter functionality of the delayed_job_web rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim's browser. An attacker can phish an authenticated user to trigger this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Delayed Job Web Project ≫ Delayed Job Web Version1.4 SwPlatformruby
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.4% | 0.595 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
| talos-cna@cisco.com | 6.1 | 2.8 | 2.7 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.