Veracode Vulnerability DatabaseVERACODE:37702Cross-Site Scripting (XSS)
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
45.4%
twisted is vulnerable to cross-site scripting. The vulnerability is due to the function _getResourceForRequest in vhost.py. When the host header does not match the configured twisted.web.vhost.NameVirtualHost, the 404 page will render the header allowing an attacker to inject and execute HTML and scripts.
References
github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4
github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
lists.debian.org/debian-lts-announce/2022/11/msg00038.html
security.gentoo.org/glsa/202301-02
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
45.4%