Lucene search

GitHub_MCVELIST:CVE-2023-29015

HistoryApr 06, 2023 - 7:03 p.m.

CVE-2023-29015 Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments

2023-04-0619:03:23

CWE-79

GitHub_M

www.cve.org

cve-2023-29015

goobi viewer

cross-site scripting

vulnerability

user comments

web application

digitised material

browser

specially crafted comment

malicious script code

version 23.03

security

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

35.3%

JSON

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user’s browser when displaying the comment. The vulnerability has been fixed in version 23.03.

CNA Affected

[
  {
    "vendor": "intranda",
    "product": "goobi-viewer-core",
    "versions": [
      {
        "version": "< 23.03",
        "status": "affected"
      }
    ]
  }
]

References

github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256

github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

35.3%

JSON

Related for CVELIST:CVE-2023-29015