Lucene search

GoogleOSV:GHSA-7V7G-9VX6-VCG2

HistoryApr 07, 2023 - 7:22 p.m.

Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

2023-04-0719:22:41

Google

osv.dev

goobi viewer

reflected cross-site scripting

vulnerability

logid parameter

patch

rus-cert

email alert

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.2%

JSON

Impact

A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user’s browser.

Patches

The vulnerability has been fixed in version 23.03

Credits

We would like to thank RUS-CERT for reporting this issues.

If you have any questions or comments about this advisory:

Email us at [email protected]

References

github.com/intranda/goobi-viewer-core

github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455

github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2

nvd.nist.gov/vuln/detail/CVE-2023-29014

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.2%

JSON

Related for OSV:GHSA-7V7G-9VX6-VCG2