Lucene search

GoogleOSV:GHSA-X5Q4-M45M-FM94

HistoryDec 28, 2022 - 12:30 p.m.

Harvest Chosen vulnerable to Cross-site Scripting

2022-12-2812:30:51

Google

osv.dev

harvest chosen

vulnerability

cross-site scripting

version 1.8.6

abstractchosen

file coffee/lib/abstract-chosen.coffee

group_label

remote attack

upgrade

patch 77fd031d541e77510268d1041ed37798fdd1017e

component

identifier vdb-216956

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

41.2%

JSON

A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6. Affected by this issue is the function AbstractChosen of the file coffee/lib/abstract-chosen.coffee. The manipulation of the argument group_label leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.7 can address this issue. The name of the patch is 77fd031d541e77510268d1041ed37798fdd1017e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216956.

CPENameOperatorVersion
harvesthq/choseneq1.8.6

CPE	Name	Operator	Version
	harvesthq/chosen	eq	1.8.6

References

github.com/harvesthq/chosen

github.com/harvesthq/chosen/commit/77fd031d541e77510268d1041ed37798fdd1017e

github.com/harvesthq/chosen/pull/2997

github.com/harvesthq/chosen/releases/tag/v1.8.7

nvd.nist.gov/vuln/detail/CVE-2018-25050

vuldb.com/?ctiid.216956

vuldb.com/?id.216956

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

41.2%

JSON

Related for OSV:GHSA-X5Q4-M45M-FM94