Lucene search

GitHub Advisory DatabaseGHSA-F4M6-X2XJ-JC7W

HistoryJun 16, 2023 - 3:30 p.m.

ke_search (aka Faceted Search) vulnerable to Cross-Site Scripting

2023-06-1615:30:19

CWE-79

GitHub Advisory Database

github.com

ke_search

faceted search

xss

typo3

indexed data

software

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

18.7%

JSON

The ke_search (aka Faceted Search) extension before 4.0.3, 4.1.x through 4.6.x before 4.6.6, and 5.x before 5.0.2 for TYPO3 allows XSS via indexed data.

Affected configurations

Vulners

Node

tpwdke_searchRange<4.0.3

tpwdke_searchRange4.1.0–4.6.6

tpwdke_searchRange5.0.0–5.0.2

VendorProductVersionCPE
tpwdke_search*cpe:2.3:a:tpwd:ke_search:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tpwd	ke_search	*	cpe:2.3:a:tpwd:ke_search::::::::

References

github.com/advisories/GHSA-f4m6-x2xj-jc7w

github.com/FriendsOfPHP/security-advisories/blob/master/tpwd/ke_search/CVE-2023-35783.yaml

github.com/tpwd/ke_search/commit/14fa0703c2469e04eb398be4ae6268ec6ad6e720

github.com/tpwd/ke_search/commit/b0f05d7e7e207bc0d5051bd96f3ff43c5c3658c6

github.com/tpwd/ke_search/commit/d81a1f2f3dcb612220d505b495bc2851b87f6f74

nvd.nist.gov/vuln/detail/CVE-2023-35783

typo3.org/security/advisory/typo3-ext-sa-2023-004