Lucene search

GitHub Advisory DatabaseGHSA-589W-HCCM-265X

HistoryOct 19, 2020 - 8:17 p.m.

Inline attribute values were not processed.

2020-10-1920:17:47

CWE-79

GitHub Advisory Database

github.com

inline attributes

xss

vulnerability

processing

patches

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

29.3%

JSON

Impact

Inline attributes have not been processed escape.
If the data that came from users was not processed, then an XSS vulnerability is possible

Patches

Fixed in 9.4.4

Affected configurations

Vulners

Node

orchidplatformRange9.0.0–9.4.4

VendorProductVersionCPE
orchidplatform*cpe:2.3:a:orchid:platform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
orchid	platform	*	cpe:2.3:a:orchid:platform::::::::

References

github.com/advisories/GHSA-589w-hccm-265x

github.com/orchidsoftware/platform/commit/03f9a113b1a70bc5075ce86a918707f0e7d82169

github.com/orchidsoftware/platform/security/advisories/GHSA-589w-hccm-265x

nvd.nist.gov/vuln/detail/CVE-2020-15263

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

29.3%

JSON

Related for GHSA-589W-HCCM-265X