Lucene search

GoogleOSV:GHSA-927P-XRC2-X2GJ

HistoryMay 28, 2024 - 9:23 p.m.

ansibleguy-webui Cross-site Scripting vulnerability

2024-05-2821:23:42

Google

osv.dev

cross-site scripting

html injection

browser evaluation

upgrade

github issue 44

report

webui

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Impact

Multiple forms in version <0.0.21 allowed injection of HTML elements.
These are returned to the user after executing job actions and thus evaluated by the browser.

Patches

We recommend to upgrade to version >= 0.0.21

References

CPENameOperatorVersion
ansibleguy-webuieq0.0.18
ansibleguy-webuieq0.0.20
ansibleguy-webuieq0.0.15
ansibleguy-webuieq0.0.17
ansibleguy-webuieq0.0.19
ansibleguy-webuieq0.0.16

Name	Operator	Version
ansibleguy-webui	eq	0.0.18
ansibleguy-webui	eq	0.0.20
ansibleguy-webui	eq	0.0.15
ansibleguy-webui	eq	0.0.17
ansibleguy-webui	eq	0.0.19
ansibleguy-webui	eq	0.0.16