Lucene search

GoogleOSV:GHSA-4PVW-G9FX-594R

HistoryJul 25, 2023 - 6:30 p.m.

Cross-site Scripting in healthcheck webconsole plugin

2023-07-2518:30:32

Google

osv.dev

apache felix

healthcheck

webconsole

cross-site scripting

xss

vulnerability

cwe-79

upgrade

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

An improper neutralization of input during web page generation (‘Cross-site Scripting’) [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting (XSS) attack.

Upgrade to Apache Felix Healthcheck Webconsole Plugin 2.1.0 or higher.

CPENameOperatorVersion
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugineq2.0.0
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugineq2.0.2
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugineq0.1.1

Name	Operator	Version
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugin	eq	2.0.0
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugin	eq	2.0.2
org.apache.felix:org.apache.felix.healthcheck.webconsoleplugin	eq	0.1.1

References

seclists.org/fulldisclosure/2023/Jul/43

www.openwall.com/lists/oss-security/2023/07/25/10

github.com/apache/felix-dev

github.com/apache/felix-dev/commit/c4e67520e0a4499389342491869919a6c42ed62c

lists.apache.org/thread/r3blhp3onr4rdbkgdyglqnccg0v79pfv

nvd.nist.gov/vuln/detail/CVE-2023-38435

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

Related for OSV:GHSA-4PVW-G9FX-594R