Lucene search
Veracode Vulnerability DatabaseVERACODE:20924HistoryJul 30, 2019 - 2:33 a.m.
Cross-site Scripting (XSS)
2019-07-3002:33:54
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
0.001 Low
EPSS
Percentile
22.7%
invenio-records is vulnerable to cross-site scripting (XSS). When an admin user views a new record uploaded by a user with permission to upload in the admin interface, it directly renders JSON output for the new record, allowing the user to inject and render any arbitrary malicious script to render in admin interface.
| CPE | Name | Operator | Version |
|---|---|---|---|
| invenio-records | eq | 1.1.0 | |
| invenio-records | le | 1.0.1 | |
| invenio-records | le | 1.2.1 |
References
github.com/inveniosoftware/invenio-records/blob/master/CHANGES.rst
github.com/inveniosoftware/invenio-records/commit/361def20617cde5a1897c2e81b70bfadaabae608
github.com/inveniosoftware/invenio-records/commit/4b3f74ead8db36cec6a6b97a77ddd56e0ff30e2b
github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j
Related
cvelist
cvelist
CVE-2019-1020003
2019-07-29 14:03:57
osv
osv
PYSEC-2019-27
2019-07-29 15:15:00
Cross-site scripting invenio-records
2019-07-16 00:52:15
CVE-2019-1020003
2019-07-29 15:15:11
cve
cve
CVE-2019-1020003
2019-07-29 15:15:11
prion
prion
Cross site scripting
2019-07-29 15:15:00
nvd
nvd
CVE-2019-1020003
2019-07-29 15:15:11
github
github
Cross-site scripting invenio-records
2019-07-16 00:52:15