Skip to content

csaf-poc/csaf_distribution Cross-site Scripting vulnerability

Moderate severity GitHub Reviewed Published Dec 14, 2022 to the GitHub Advisory Database • Updated Sep 18, 2023

Package

gomod github.com/csaf-poc/csaf_distribution (Go)

Affected versions

< 0.8.2

Patched versions

0.8.2

Description

The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF document uploaded as text/html. The endpoint upload allows valid CSAF advisories (JSON format) to be uploaded with Content-Type text/html and filenames ending in .html. When subsequently accessed via web browser, these advisories are served and interpreted as HTML pages. Such uploaded advisories can contain JavaScript code that will execute within the browser context of users inspecting the advisory.

References

Published by the National Vulnerability Database Dec 13, 2022
Published to the GitHub Advisory Database Dec 14, 2022
Reviewed Dec 14, 2022
Last updated Sep 18, 2023

Severity

Moderate

EPSS score

0.054%
(24th percentile)

Weaknesses

CVE ID

CVE-2022-43996

GHSA ID

GHSA-xxfx-w2rw-gh63

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.