Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0ycGc2LXZ3OWMtcWhqds4AA7Ug

Passbolt API allows HTML injection

Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.

Permalink: https://github.com/advisories/GHSA-2pg6-vw9c-qhjv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycGc2LXZ3OWMtcWhqds4AA7Ug
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Identifiers: GHSA-2pg6-vw9c-qhjv, CVE-2024-33670
References:

Repository: https://github.com/passbolt/passbolt_api
Blast Radius: 1.0

Affected Packages

packagist:passbolt/passbolt_api

Dependent packages: 0
Dependent repositories: 0
Downloads: 78 total
Affected Version Ranges: < 4.6.2
Fixed in: 4.6.2
All affected versions: 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.9, 1.6.10, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.5, 2.14.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.3, 3.9.0, 3.10.0, 3.11.0, 3.11.1, 3.12.0, 3.12.2, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.2, 4.6.0, 4.6.1
All unaffected versions: 4.6.2, 4.7.0, 4.8.0, 4.9.0, 4.9.1