Veracode Vulnerability DatabaseVERACODE:45463

HistoryFeb 13, 2024 - 8:00 a.m.

Cross Site Scripting (XSS)

2024-02-1308:00:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

github

caddy security

input sanitization

get requests

browser

vulnerability

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

https://github.com/greenpau/caddy-security is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to improper input sanitization when handling /admin or /settings/mfa/delete/ GET requests. An attacker can inject arbitrary JavaScript code into the users browser, resulting in XSS.

CPENameOperatorVersion
github.com/greenpau/caddy-securitylev1.1.23
github.com/greenpau/caddy-securitylev1.1.23

CPE	Name	Operator	Version
	github.com/greenpau/caddy-security	le	v1.1.23
	github.com/greenpau/caddy-security	le	v1.1.23

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/#:~:text=Issue%20%231%3A%20Reflected%20Cross%2DSite%20Scripting%20(XSS)

github.com/greenpau/caddy-security/issues/264