CVE-2023-40024

2023-08-1420:15:12

CWE-79

[email protected]

web.nvd.nist.gov

scancode.io

license

endpoint

validation

sanitization

xss vulnerability

release 32.5.2

upgrade

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the license_details_view function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release 32.5.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

nexbscancode.ioRange<32.5.2

VendorProductVersionCPE
nexbscancode\.io*cpe:2.3:a:nexb:scancode\.io:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nexb	scancode\.io	*	cpe:2.3:a:nexb:scancode\.io::::::::

CNA Affected

[
  {
    "vendor": "nexB",
    "product": "scancode.io",
    "versions": [
      {
        "version": "< 32.5.2",
        "status": "affected"
      }
    ]
  }
]