CVE-2023-26491

2023-03-0323:15:12

CWE-79

[email protected]

web.nvd.nist.gov

rsshub

open source

rss feed

generator

xss

vulnerability

security

fix

c910c4d28717fb860fbe064736641f379fab2c91

update

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.2%

JSON

RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds.

Affected configurations

Vulners

NVD

Node

diygodrsshubRange<1.0.0-master.c910c4d

CPENameOperatorVersion
rsshub:rsshubrsshublt2023-03-02

CPE	Name	Operator	Version
rsshub:rsshub	rsshub	lt	2023-03-02

CNA Affected

[
  {
    "vendor": "DIYgod",
    "product": "RSSHub",
    "versions": [
      {
        "version": "< 1.0.0-master.c910c4d",
        "status": "affected"
      }
    ]
  }
]