Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycjlyLThmY2ctbTM4Z84AAyoL
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
Impact
A cross-site scripting vulnerability has been identified in Goobi viewer core when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages.
Patches
The vulnerability has been fixed in version 23.03
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjlyLThmY2ctbTM4Z84AAyoL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00086
EPSS Percentile: 0.37595
Identifiers: GHSA-2r9r-8fcg-m38g, CVE-2023-29016
References:
- https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g
- https://nvd.nist.gov/vuln/detail/CVE-2023-29016
- https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238
- https://github.com/advisories/GHSA-2r9r-8fcg-m38g
Blast Radius: 1.0
Affected Packages
maven:io.goobi.viewer:viewer-core
Affected Version Ranges: < 23.03Fixed in: 23.03