6.1

CVE-2019-13122

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OzlabsPatchwork Version >= 1.1 < 2.0.4
OzlabsPatchwork Version >= 2.1.0 < 2.1.4
OzlabsPatchwork Version2.1.0 Updaterc1
OzlabsPatchwork Version2.1.0 Updaterc2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.34% 0.676
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://jk.ozlabs.org/projects/patchwork/
Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/07/05/1
Third Party Advisory
Mailing List
https://github.com/getpatchwork/patchwork/commits/master
Third Party Advisory
https://github.com/getpatchwork/patchwork/releases
Third Party Advisory
Release Notes
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html
Vendor Advisory
Mailing List
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.html
Vendor Advisory
Mailing List
https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.html
Vendor Advisory