Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-5H5V-HW44-F6GG
HistoryMay 14, 2024 - 8:13 p.m.

Oceanic allows unsanitized user input to lead to path traversal in URLs

2024-05-1420:13:58
Google
osv.dev
2
oceanic
user input
path traversal
url
encoding
vulnerability

0.0004 Low

EPSS

Percentile

10.2%

JSON

Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

  • Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
  • Encoding input with encodeURIComponent before providing it to the library.

References

OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

CPENameOperatorVersion
oceanic.jslt1.10.4

Related

cve 1
cvelist 1
github 1
veracode 1
osv 1
cve
cve
CVE-2024-34712
2024-05-14 16:17:26
cvelist
cvelist
CVE-2024-34712 Oceanic allows unsanitized user input to lead to path traversal in URLs
2024-05-14 14:32:06
github
github
Oceanic allows unsanitized user input to lead to path traversal in URLs
2024-05-14 20:13:58
veracode
veracode
URL Manipulation
2024-05-15 08:57:19
osv
osv
CVE-2024-34712
2024-05-14 16:17:26

0.0004 Low

EPSS

Percentile

10.2%

JSON
Related for OSV:GHSA-5H5V-HW44-F6GG
cve1cvelist1github1veracode1osv1