Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS14cjdwLThxODItODc4cc4AAwLZ

teler dashboard vulnerable to DOM-based cross-site scripting (XSS)

Description

teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.

Impact

This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.

Affected Version

This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.

Patches

This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.

Workarounds

Here are some workarounds to handle this case:

• Deactivate the live event dashboard from the configuration file, or
• Upgrade teler version to v2.0.0-rc.4 or v2.0.0-dev.2 & above.

References

• https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

Permalink: https://github.com/advisories/GHSA-xr7p-8q82-878q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjdwLThxODItODc4cc4AAwLZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Identifiers: GHSA-xr7p-8q82-878q, CVE-2022-23466
References:

• https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q
• https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e
• https://nvd.nist.gov/vuln/detail/CVE-2022-23466
• https://github.com/advisories/GHSA-xr7p-8q82-878q

Repository: https://github.com/kitabisa/teler
Blast Radius: 1.0

Affected Packages