Lucene search

[email protected]NVD:CVE-2024-22048

HistoryJan 04, 2024 - 9:15 p.m.

CVE-2024-22048

2024-01-0421:15:09

CWE-79

[email protected]

web.nvd.nist.gov

govuk_tech_docs

versions

cross-site scripting

vulnerability

malicious javascript

search page

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.6%

JSON

govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user’s browser if a malicious search result is displayed on the search page.

Affected configurations

Nvd

Node

gov.ukgovuk_tech_docsRange2.0.2–3.3.1ruby

VendorProductVersionCPE
gov.ukgovuk_tech_docs*cpe:2.3:a:gov.uk:govuk_tech_docs:*:*:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
gov.uk	govuk_tech_docs	*	cpe:2.3:a:gov.uk:govuk_tech_docs::::::ruby::*

References

github.com/advisories/GHSA-x2xw-hw8g-6773

github.com/alphagov/tech-docs-gem/pull/323

github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1

github.com/alphagov/tech-docs-gem/security/advisories/GHSA-x2xw-hw8g-6773

vulncheck.com/advisories/vc-advisory-GHSA-x2xw-hw8g-6773

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.6%

JSON

Related for NVD:CVE-2024-22048

osv2 cve1 veracode1 rubygems1 prion1 vulnrichment1 github1 cvelist1