Lucene search

Veracode Vulnerability DatabaseVERACODE:42827

HistoryAug 17, 2023 - 3:09 a.m.

Cross-site Scripting (XSS)

2023-08-1703:09:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

scancodeio

cross-site scripting

xss

sanitization

licenses.py

endpoint

injection

javascript

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

scancodeio is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to the lack of sanitization in the key parameter of licenses.py, which allows an attacker to inject and execute malicious JavaScript through the /license/ endpoint.

CPENameOperatorVersion
scancodeiole32.5.1
scancodeiole32.5.1

CPE	Name	Operator	Version
	scancodeio	le	32.5.1
	scancodeio	le	32.5.1

References

github.com/nexB/scancode.io/blob/dd7769fbc97c84545579cebf1dc4838214098a11/CHANGELOG.rst#v3252-2023-08-14

github.com/nexB/scancode.io/commit/ed5a48f655bef5b5d1a300ffc600b6826eb775ec

github.com/nexB/scancode.io/issues/847

github.com/nexB/scancode.io/pull/849

github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for VERACODE:42827