CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
EPSS
Percentile
19.4%
What kind of vulnerability is it? Who is impacted?
It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form.
Only admin users are affected and only admin users can create tags.
Has the problem been patched? What versions should users upgrade to?
The problem is patched with Version 1.6.42.
Is there a way for users to fix or remediate the vulnerability without upgrading?
Create a custom request listener to avoid that this kind of tags are created.
Are there any links users can visit to find out more?
Currently not.
If you have any questions or comments about this advisory:
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
EPSS
Percentile
19.4%