Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Y2h2LTN3NmMtanE5d84AAzEi
Cross Site Scripting in OpenTSDB
Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.
Permalink: https://github.com/advisories/GHSA-9chv-3w6c-jq9wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Y2h2LTN3NmMtanE5d84AAzEi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Identifiers: GHSA-9chv-3w6c-jq9w, CVE-2023-25827
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-25827
- https://github.com/OpenTSDB/opentsdb/pull/2274
- https://www.synopsys.com/blogs/software-security/opentsdb/
- https://github.com/advisories/GHSA-9chv-3w6c-jq9w
Blast Radius: 18.4
Affected Packages
maven:net.opentsdb:opentsdb
Dependent packages: 4Dependent repositories: 175
Downloads:
Affected Version Ranges: <= 2.4.1
No known fixed version
All affected versions: 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1