GitHub Advisory DatabaseGHSA-XR7P-8Q82-878Qteler dashboard vulnerable to DOM-based cross-site scripting (XSS)
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.5%
Description
teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.
Impact
This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.
Affected Version
This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.
Patches
This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.
Workarounds
Here are some workarounds to handle this case:
- Deactivate the live event dashboard from the configuration file, or
- Upgrade teler version to
v2.0.0-rc.4orv2.0.0-dev.2& above.
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| teler.app | eq | 2.0.0-dev | |
| teler.app | le | 2.0.0-rc.3 |
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.5%