GitHub Advisory DatabaseGHSA-J2FP-9WP5-MG66Passbolt API is vulnerable to XSS in the url field on the password workspace grid and sidebar
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
22.7%
Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| passbolt | passbolt_api | * | cpe:2.3:a:passbolt:passbolt_api:*:*:*:*:*:*:*:* |
References
github.com/advisories/GHSA-j2fp-9wp5-mg66
github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/CVE-2017-1000442.yaml
github.com/passbolt/passbolt_api/commit/f5eb93485a90195439e12aa8072f45ceb37b19c3
nvd.nist.gov/vuln/detail/CVE-2017-1000442
www.passbolt.com/incidents/20170914_xss_on_resource_urls
www.passbolt.com/release/notes#September
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
22.7%