Lucene search

Fluid AttacksCVELIST:CVE-2023-6142

HistoryNov 20, 2023 - 11:24 p.m.

CVE-2023-6142 Dev Blog v1.0 - Stored XSS

2023-11-2023:24:48

CWE-79

Fluid Attacks

www.cve.org

cve-2023-6142

dev blog v1.0

stored xss

unrestricted file upload

bad entropy

html file

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

14.2%

JSON

Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Dev Blog",
    "vendor": "Dev Blog",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  }
]

References

fluidattacks.com/advisories/bunny/

github.com/Armanidrisi/devblog/

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

14.2%

JSON

Related for CVELIST:CVE-2023-6142