Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocTc1LWdnYzMtOGgzcc4AAhWc
AntSword RCE and XSS via code injection
In antSword before 2.1.0, self-XSS in the database configuration leads to code execution via modules/database/asp/index.js, modules/database/custom/index.js, modules/database/index.js, or modules/database/php/index.js.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocTc1LWdnYzMtOGgzcc4AAhWc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-hq75-ggc3-8h3q, CVE-2019-13970
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13970
- https://github.com/AntSwordProject/antSword/issues/151
- https://github.com/AntSwordProject/antSword/commit/4b932e81447b4b0475f4fce45525547395c249d3
- https://github.com/AntSwordProject/antSword/compare/ed01dea...834063a
- https://github.com/advisories/GHSA-hq75-ggc3-8h3q
Blast Radius: 0.0
Affected Packages
npm:antsword
Dependent packages: 3Dependent repositories: 1
Downloads: 17 last month
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.0.2
All unaffected versions: