Lucene search

SnykCVELIST:CVE-2023-26146

HistorySep 29, 2023 - 5:00 a.m.

CVE-2023-26146

2023-09-2905:00:01

snyk

www.cve.org

cve-2023-26146

cross-site scripting

xss

file sanitization

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

EPSS

0.001

Percentile

21.7%

JSON

All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.

CNA Affected

[
  {
    "product": "ithewei/libhv",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20

security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

EPSS

0.001

Percentile

21.7%

JSON

Related for CVELIST:CVE-2023-26146