Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2017-15215

HistoryOct 11, 2017 - 1:32 a.m.

CVE-2017-15215

2017-10-1101:32:55

Debian Security Bug Tracker

security-tracker.debian.org

cve-2017-15215

shaarli

reflected xss

administrator

javascript

unauthenticated users

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (for example) take over the admin session or change global settings or add/delete links. It is also possible to execute JavaScript against unauthenticated users.

OSVersionArchitecturePackageVersionFilename
Debian12allshaarli< 0.12.1+dfsg-8shaarli_0.12.1+dfsg-8_all.deb
Debian999allshaarli< 0.13.0+dfsg-3shaarli_0.13.0+dfsg-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	shaarli	< 0.12.1+dfsg-8	shaarli_0.12.1+dfsg-8_all.deb
Debian	999	all	shaarli	< 0.13.0+dfsg-3	shaarli_0.13.0+dfsg-3_all.deb

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Related for DEBIANCVE:CVE-2017-15215