Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mMmM1LTk5N3ctN2Y1Y80Vyg
Cross-site Scripting in peertube
peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It was found that one could upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers.
Permalink: https://github.com/advisories/GHSA-f2c5-997w-7f5cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mMmM1LTk5N3ctN2Y1Y80Vyg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-f2c5-997w-7f5c, CVE-2021-3780
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3780
- https://github.com/chocobozzz/peertube/commit/0ea2f79d45b301fcd660efc894469a99b2239bf6
- https://huntr.dev/bounties/282807a8-4bf5-4fe2-af62-e05f945b3d65
- https://github.com/advisories/GHSA-f2c5-997w-7f5c
Blast Radius: 0.0
Affected Packages
npm:peertube
Dependent packages: 1Dependent repositories: 1
Downloads: 16 last month
Affected Version Ranges: < 3.4.0
Fixed in: 3.4.0
All affected versions: 1.0.0, 1.0.1, 3.0.1
All unaffected versions: