Lucene search

GitHub_MCVELIST:CVE-2024-38521

HistoryJun 28, 2024 - 3:33 p.m.

CVE-2024-38521 Persistent Cross-Site Scripting (XSS) in hushline inbox

2024-06-2815:33:21

CWE-79

GitHub_M

www.cve.org

hush line

xss

jinja2

patched

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the safe Jinja2 attribute, and thus not sanitized upon display. This issue has been patched in version 0.1.0.

CNA Affected

[
  {
    "vendor": "scidsg",
    "product": "hushline",
    "versions": [
      {
        "version": "< 0.1.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/scidsg/hushline/security/advisories/GHSA-4v8c-r6h2-fhh3

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-38521