Lucene search

Ubuntu.comUB:CVE-2017-15215

HistoryOct 11, 2017 - 12:00 a.m.

CVE-2017-15215

2017-10-1100:00:00

ubuntu.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated
attacker to inject JavaScript via the searchtags parameter to index.php. If
the victim is an administrator, an attacker can (for example) take over the
admin session or change global settings or add/delete links. It is also
possible to execute JavaScript against unauthenticated users.

Notes

Author	Note
msalvatore	introduced by https://github.com/shaarli/Shaarli/commit/6ccd0b218fbd34de750f55b78f3dc43bb3d9fa8e

References

openwall.com/lists/oss-security/2017/10/07/2

github.com/shaarli/Shaarli/pull/987

github.com/shaarli/Shaarli/releases/tag/v0.9.2

launchpad.net/bugs/cve/CVE-2017-15215

nvd.nist.gov/vuln/detail/CVE-2017-15215

security-tracker.debian.org/tracker/CVE-2017-15215

www.cve.org/CVERecord?id=CVE-2017-15215

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Related for UB:CVE-2017-15215