Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNmN3LWc3ZmMtNGd3Y84ABAA2
Lara-zeus Dynamic Dashboard and Artemis do not validate paragraph widget values which can be used for XSS
Summary
If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered.
Versions of dynamic dashboard from v3.0.0 through v3.0.2 are affected.
Please upgrade to dynamic dashboard v3.0.2.
PoC
PoC will be published in a few weeks, once developers have had a chance to upgrade their apps.
Response
This vulnerability (in paragraph widget only) was reported by Raghav Sharma, who reported the issue and patched the issue during the morning of 05/10/2024. Thank you Raghav Sharma.
The review process concluded the same day at night, which revealed the issue was also present in paragraph widget. This was fixed the same day and dynamic dashboard v3.0.2 followed.
Note:
if you're published the view (blade files), you have to republish them or check the changes on release to update the affected file.
Permalink: https://github.com/advisories/GHSA-c6cw-g7fc-4gwcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNmN3LWc3ZmMtNGd3Y84ABAA2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 14 days ago
Updated: 14 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-c6cw-g7fc-4gwc, CVE-2024-47817
References:
- https://github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwc
- https://github.com/lara-zeus/artemis/commit/4636f58628d20d3e78ea8514406bd7da94997f2c
- https://github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545a
- https://nvd.nist.gov/vuln/detail/CVE-2024-47817
- https://github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9
- https://github.com/advisories/GHSA-c6cw-g7fc-4gwc
Blast Radius: 0.0
Affected Packages
packagist:lara-zeus/artemis
Dependent packages: 1Dependent repositories: 1
Downloads: 654 total
Affected Version Ranges: >= 1.0.0, <= 1.0.6
Fixed in: 1.0.7
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6
All unaffected versions: 1.0.7
packagist:lara-zeus/dynamic-dashboard
Dependent packages: 1Dependent repositories: 0
Downloads: 923 total
Affected Version Ranges: >= 3.0.0, <= 3.0.1
Fixed in: 3.0.2
All affected versions: 3.0.0, 3.0.1
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.0.2