CVE-2023-47623

2023-12-1322:15:43

CWE-79

[email protected]

web.nvd.nist.gov

scrypted

home video

integration

automation

cross-site scripting

reflected xss

redirect_uri

javascript scheme

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the login page via the redirect_uri parameter. By specifying a url with the javascript scheme (javascript:), an attacker can run arbitrary JavaScript code after the login.

Affected configurations

Vulners

NVD

Node

koushscryptedRange≤0.55.0

CPENameOperatorVersion
clockworkmod:scryptedclockworkmod scryptedle0.55.0

CPE	Name	Operator	Version
clockworkmod:scrypted	clockworkmod scrypted	le	0.55.0

CNA Affected

[
  {
    "vendor": "koush",
    "product": "scrypted",
    "versions": [
      {
        "version": "<= 0.55.0",
        "status": "affected"
      }
    ]
  }
]