Lucene search

GoogleOSV:CVE-2023-37658

HistoryJul 11, 2023 - 3:15 p.m.

CVE-2023-37658

2023-07-1115:15:20

Google

osv.dev

cve-2023-37658

cross site scripting

file upload

binary check

file suffix check

apiuploadhandler.post

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.4%

JSON

fast-poster v2.15.0 is vulnerable to Cross Site Scripting (XSS). File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post causes stored XSS

CPENameOperatorVersion
fast-postereq2.8.0
fast-postereq1.3.3
fast-postereqV1.2.2
fast-postereq2.4.1
fast-postereq2.7.1
fast-postereq2.13.0
fast-postereq2.10.0
fast-postereq2.9.0
fast-postereq2.11.0
fast-postereq1.5.4

Name	Operator	Version
fast-poster	eq	2.8.0
fast-poster	eq	1.3.3
fast-poster	eq	V1.2.2
fast-poster	eq	2.4.1
fast-poster	eq	2.7.1
fast-poster	eq	2.13.0
fast-poster	eq	2.10.0
fast-poster	eq	2.9.0
fast-poster	eq	2.11.0
fast-poster	eq	1.5.4

Rows per page:

1-10 of 441

References

github.com/psoho/fast-poster/issues/13