Lucene search

GitHub_MCVE-2024-41809

HistoryJul 25, 2024 - 9:15 p.m.

CVE-2024-41809

2024-07-2521:15:11

CWE-79

GitHub_M

web.nvd.nist.gov

openobserve

observability platform

xss

vulnerability

version 0.4.4

version 0.10.0

membersubscription.vue

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.1%

JSON

OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of openobserve/web/src/views/MemberSubscription.vue. Version 0.10.0 sanitizes incoming html.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

openobserveopenobserveRange0.4.4–0.10.0

VendorProductVersionCPE
openobserveopenobserve*cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openobserve	openobserve	*	cpe:2.3:a:openobserve:openobserve::::::::

CNA Affected

[
  {
    "vendor": "openobserve",
    "product": "openobserve",
    "versions": [
      {
        "version": ">= 0.4.4, < 0.10.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32

github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02

github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d

github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.1%

JSON

Related for CVE-2024-41809