Lucene search

GitHub_MCVE-2023-37272

HistoryJul 13, 2023 - 11:15 p.m.

CVE-2023-37272

2023-07-1323:15:10

CWE-79

GitHub_M

web.nvd.nist.gov

cve-2023-37272

job scheduler

xss

file upload

security vulnerability

nvd

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

21.4%

JSON

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.

Affected configurations

Nvd

Vulners

Node

sos-berlinjobschedulerRange<1.13.19

VendorProductVersionCPE
sos-berlinjobscheduler*cpe:2.3:a:sos-berlin:jobscheduler:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sos-berlin	jobscheduler	*	cpe:2.3:a:sos-berlin:jobscheduler::::::::

CNA Affected

[
  {
    "vendor": "sos-berlin",
    "product": "joc-cockpit",
    "versions": [
      {
        "version": "< 1.13.19",
        "status": "affected"
      }
    ]
  }
]

References

change.sos-berlin.com/browse/SET-226

github.com/sos-berlin/joc-cockpit/security/advisories/GHSA-qr44-gm3x-7hfc