Lucene search

GitHub Advisory DatabaseGHSA-2WQW-HR4F-XRHH

HistoryMar 06, 2024 - 5:02 p.m.

RSSHub Cross-site Scripting vulnerability caused by internal media proxy

2024-03-0617:02:34

CWE-79

GitHub Advisory Database

github.com

xss vulnerability

media proxy

arbitrary javascript code

url

upgrade

fixed vulnerability

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Impact

When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code.

Users who access the deliberately constructed URL are affected.

Patches

This vulnerability was fixed in version https://github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87. Please upgrade to this or a later version.

Workarounds

No.

Affected configurations

Vulners

Node

rsshubrsshubRange1.0.0-master.cbbd829–1.0.0-master.d8ca915

VendorProductVersionCPE
rsshubrsshub*cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rsshub	rsshub	*	cpe:2.3:a:rsshub:rsshub::::::::

References

github.com/advisories/GHSA-2wqw-hr4f-xrhh

github.com/DIYgod/RSSHub/commit/4d3e5d79c1c17837e931b4cd253d2013b487aa87

github.com/DIYgod/RSSHub/security/advisories/GHSA-2wqw-hr4f-xrhh

nvd.nist.gov/vuln/detail/CVE-2024-27926

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-2WQW-HR4F-XRHH