Lucene search

K
cveMitreCVE-2019-13122
HistoryJul 10, 2019 - 5:15 p.m.

CVE-2019-13122

2019-07-1017:15:12
CWE-79
mitre
web.nvd.nist.gov
64
cve-2019-13122
cross site scripting
xss
patchwork
email vulnerability
security patch

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.004

Percentile

74.0%

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.

Affected configurations

Nvd
Node
ozlabspatchworkRange1.12.0.4
OR
ozlabspatchworkRange2.1.02.1.4
OR
ozlabspatchworkMatch2.1.0rc1
OR
ozlabspatchworkMatch2.1.0rc2
VendorProductVersionCPE
ozlabspatchwork*cpe:2.3:a:ozlabs:patchwork:*:*:*:*:*:*:*:*
ozlabspatchwork2.1.0cpe:2.3:a:ozlabs:patchwork:2.1.0:rc1:*:*:*:*:*:*
ozlabspatchwork2.1.0cpe:2.3:a:ozlabs:patchwork:2.1.0:rc2:*:*:*:*:*:*

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.004

Percentile

74.0%

Related for CVE-2019-13122