Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OXd3LXd2M2otbWhnNM4AAk4A
Comments plugin stored Cross-site Scripting (XSS) via an asset volume name
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.
Permalink: https://github.com/advisories/GHSA-69ww-wv3j-mhg4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OXd3LXd2M2otbWhnNM4AAk4A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 24 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-69ww-wv3j-mhg4, CVE-2020-13870
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13870
- https://github.com/verbb/comments/blob/craft-3/CHANGELOG.md#155---2020-05-28-critical
- https://github.com/advisories/GHSA-69ww-wv3j-mhg4
Blast Radius: 0.0
Affected Packages
packagist:verbb/comments
Dependent packages: 0Dependent repositories: 1
Downloads: 45,861 total
Affected Version Ranges: < 1.5.5
Fixed in: 1.5.5
All affected versions: 0.3.6, 0.3.8, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4
All unaffected versions: 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12