3 matches found
CVE-2024-27292
Docassemble (1.4.53–1.4.96) is affected by CVE-2024-27292: an unauthenticated information disclosure via URL manipulation in the interview endpoint. The issue enables reading arbitrary server information; patch is available in version 1.4.97 of the master branch. The vulnerability has CVSS 3.1 ba...
CVE-2024-27290
Docassemble is affected by an HTML/JavaScript injection vulnerability in which an attacker could input HTML in a field (notably the user’s name) and have it rendered as HTML. This stems from improper handling of user-supplied HTML prior to version 1.4.97. The issue has been fixed in the master br...
CVE-2024-27291
CVE-2024-27291 concerns Docassemble, an expert system for guided interviews and document assembly. The issue is an open redirect vulnerability: before version 1.4.97, a crafted URL can cause a user to be redirected to an arbitrary site due to improper URL handling. The open redirect is mitigated ...