Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05M2g2LXd4N3ItbWdmcM4AAy_b
Cross Site Scripting (XSS) in Serenity
An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user.
Permalink: https://github.com/advisories/GHSA-93h6-wx7r-mgfpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05M2g2LXd4N3ItbWdmcM4AAy_b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-93h6-wx7r-mgfp, CVE-2023-31285
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-31285
- https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823a6e48d2
- https://github.com/serenity-is/Serenity/commit/f54e9bfcf8ceb7f26f81a7362349bc1f63251d92
- https://github.com/serenity-is/serene/commit/6dce8162f4382badd429a9f0f1470acb64e8c4fd
- http://seclists.org/fulldisclosure/2023/May/14
- http://packetstormsecurity.com/files/172648/Serenity-StartSharp-Software-File-Upload-XSS-User-Enumeration-Reusable-Tokens.html
- https://github.com/advisories/GHSA-93h6-wx7r-mgfp
Blast Radius: 1.0
Affected Packages
nuget:Serenity.Net.Services
Dependent packages: 2Dependent repositories: 0
Downloads: 217,276 total
Affected Version Ranges: < 6.7.0
Fixed in: 6.7.0
All affected versions: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.17, 5.0.18, 5.0.19, 5.0.20, 5.0.21, 5.0.22, 5.0.23, 5.0.24, 5.0.25, 5.0.26, 5.0.27, 5.0.28, 5.0.29, 5.0.30, 5.0.31, 5.0.32, 5.0.33, 5.0.34, 5.0.35, 5.0.36, 5.0.37, 5.0.38, 5.0.39, 5.0.40, 5.0.41, 5.0.42, 5.0.43, 5.0.44, 5.0.45, 5.0.46, 5.0.47, 5.0.48, 5.0.49, 5.0.50, 5.0.51, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6
All unaffected versions: 6.7.0, 6.7.1, 6.7.2, 6.7.5, 6.7.6, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.9.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.5, 8.3.6, 8.3.7, 8.3.8, 8.3.9, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 8.4.7, 8.4.8, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.7.0, 8.7.1, 8.7.2, 8.7.3, 8.7.4, 8.7.5, 8.7.6, 8.7.7, 8.7.8, 8.7.9
nuget:Serenity.Net.Core
Dependent packages: 3Dependent repositories: 0
Downloads: 307,870 total
Affected Version Ranges: < 6.7.0
Fixed in: 6.7.0
All affected versions: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.17, 5.0.18, 5.0.19, 5.0.20, 5.0.21, 5.0.22, 5.0.23, 5.0.24, 5.0.25, 5.0.26, 5.0.27, 5.0.28, 5.0.29, 5.0.30, 5.0.31, 5.0.32, 5.0.33, 5.0.34, 5.0.35, 5.0.36, 5.0.37, 5.0.38, 5.0.39, 5.0.40, 5.0.41, 5.0.42, 5.0.43, 5.0.44, 5.0.45, 5.0.46, 5.0.47, 5.0.48, 5.0.49, 5.0.50, 5.0.51, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6
All unaffected versions: 6.7.0, 6.7.1, 6.7.2, 6.7.5, 6.7.6, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.9.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.3.4, 8.3.5, 8.3.6, 8.3.7, 8.3.8, 8.3.9, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 8.4.7, 8.4.8, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.7.0, 8.7.1, 8.7.2, 8.7.3, 8.7.4, 8.7.5, 8.7.6, 8.7.7, 8.7.8, 8.7.9