Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00aDcyLTM0ajYtajh4N84AA34K
Maloja error page XSS vulnerability
Impact
The error page for a missing path echoes the path back to the user. If this contains HTML, an attacker could execute a script on the user's machine inside the Maloja context and perform authorized actions like scrobbling or deleting scrobbles.
This does not affect the security of your server. The exploit is purely client-side.
Since there is very little incentive to mess with your scrobble data and it requires very specific targeting (an attacker would have to send a user a link to their own server), the severity rating might be misleading.
Patches
The Vulnerability is patched in 3.2.2
Permalink: https://github.com/advisories/GHSA-4h72-34j6-j8x7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aDcyLTM0ajYtajh4N84AA34K
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-4h72-34j6-j8x7
References:
- https://github.com/krateng/maloja/security/advisories/GHSA-4h72-34j6-j8x7
- https://github.com/krateng/maloja/commit/febaff97228b37a192f2630aa331cac5e5c3e98e
- https://github.com/advisories/GHSA-4h72-34j6-j8x7
Blast Radius: 0.0
Affected Packages
pypi:malojaserver
Dependent packages: 0Dependent repositories: 1
Downloads: 1,099 last month
Affected Version Ranges: < 3.2.2
Fixed in: 3.2.2
All affected versions: 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.1.1, 2.1.2, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.12.12, 2.12.13, 2.12.14, 2.12.15, 2.12.16, 2.12.17, 2.12.18, 2.12.19, 2.12.20, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.2.0, 3.2.1
All unaffected versions: 3.2.2