Lucene search

GitHub Advisory DatabaseGHSA-5C8P-QHCH-QHX6

HistoryAug 27, 2022 - 12:00 a.m.

Deluge Web-UI vulnerable to XSS through a crafted torrent file

2022-08-2700:00:44

CWE-79

GitHub Advisory Database

github.com

deluge

web-ui

xss

vulnerability

crafted torrent file

cross-site scripting

html

javascript

browser session

software

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.5%

JSON

The Deluge Web-UI is vulnerable to cross-site scripting through a crafted torrent file. The the data from torrent files is not properly sanitised as it’s interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user’s browser session.

Affected configurations

Vulners

Node

deluge-torrentdelugeRange0≥

deluge-torrentdelugeRange<2.1.0

CPENameOperatorVersion
delugege0
delugelt2.1.0

CPE	Name	Operator	Version
	deluge	ge	0
	deluge	lt	2.1.0

References

dev.deluge-torrent.org/ticket/3459

github.com/advisories/GHSA-5c8p-qhch-qhx6

github.com/pypa/advisory-database/tree/main/vulns/deluge/PYSEC-2022-256.yaml

groups.google.com/g/deluge-dev/c/e5zh7wT0rEg

nvd.nist.gov/vuln/detail/CVE-2021-3427

security.gentoo.org/glsa/202210-07

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.5%

JSON

Related for GHSA-5C8P-QHCH-QHX6