CVE-2019-13122

EPSS 0.72%
Veröffentlicht 10.07.2019 17:15:12
Zuletzt bearbeitet 21.11.2024 04:24:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ozlabs ≫ Patchwork Version >= 1.1 < 2.0.4

Ozlabs ≫ Patchwork Version >= 2.1.0 < 2.1.4

Ozlabs ≫ Patchwork Version2.1.0 Updaterc1

Ozlabs ≫ Patchwork Version2.1.0 Updaterc2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.718

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://jk.ozlabs.org/projects/patchwork/

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/07/05/1

Third Party Advisory

Mailing List

https://github.com/getpatchwork/patchwork/commits/master

Third Party Advisory

https://github.com/getpatchwork/patchwork/releases

Third Party Advisory

Release Notes

https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html

Vendor Advisory