Lucene search

Veracode Vulnerability DatabaseVERACODE:42049

HistoryAug 04, 2023 - 7:59 a.m.

Cross-site Scripting (XSS)

2023-08-0407:59:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

github

markdown

validation

user-controllable input

javascript

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

23.5%

JSON

github.com/answerdev/answer is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to the lack of validation in the user-controllable input in markdown.go, which allows an attacker to inject and execute malicious Javascript into the browser.

CPENameOperatorVersion
github.com/answerdev/answerlev1.0.6
github.com/answerdev/answerlev1.0.6

CPE	Name	Operator	Version
	github.com/answerdev/answer	le	v1.0.6
	github.com/answerdev/answer	le	v1.0.6

References

github.com/advisories/GHSA-83qr-c7m9-wmgw

github.com/answerdev/answer/commit/c3743bad4f2a69f69f8f1e1e5b4b6524fc03da25

huntr.dev/bounties/4d4b0caa-6d8c-4574-ae7e-e9ef5e2e1a40