5.4

CVE-2024-6585

Multiple stored cross-site scripting (“XSS”) vulnerabilities in the markdown dashboard and dashboard comment functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to inject malicious scripts into vulnerable web pages. A threat actor could potentially exploit this vulnerability to store malicious JavaScript which executes in the context of a user’s session with the application.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
Herstellerlightdash
Produkt lightdash
Default Statusunknown
Version 0.1024.6
Version < 0.1042.2
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.54% 0.412
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/google/security-research/security/advisories/GHSA-6529-6jv3-66q2
https://github.com/lightdash/lightdash
https://github.com/lightdash/lightdash/pull/9359
https://github.com/lightdash/lightdash/pull/9510
https://github.com/lightdash/lightdash/releases/tag/0.1042.2
https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9359.patch
https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9510.patch
https://www.cve.org/CVERecord?id=CVE-2024-6585