GSA_kwCzR0hTQS0zaHd4LWM2Y3AtcTk3Ms4AAgdi

Critical EPSS: 0.00183% (0.40541 Percentile) EPSS:

Permalink JSON

Publify vulnerable to cross site scripting

Affected Packages	Affected Versions	Fixed Versions
rubygems:publify_core PURL: `pkg:gem/publify_core`	< 9.2.9	9.2.9
2 Dependent packages 8 Dependent repositories 40,151 Downloads total Affected Version Ranges All affected versions 9.0.0, 9.0.1, 9.1.0, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8 All unaffected versions 9.2.9, 9.2.10, 10.0.0, 10.0.1, 10.0.2, 10.0.3

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file. Stored XSS may be obtained.

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-1811
https://github.com/publify/publify/commit/0fb6b027fbaf17f6a6551f2148482a03eac12927
https://huntr.dev/bounties/4d97f665-c9f1-4c38-b774-692255a7c44c
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-1811.yml
https://github.com/advisories/GHSA-3hwx-c6cp-q972

Identifiers

GHSA-3hwx-c6cp-q972

CVE-2022-1811

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00183

EPSS Percentile: 0.40541

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/publify/publify

Date and time

Published

over 3 years ago

Updated

about 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories