An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOGY0LWh2MjMtNnFwNs4AA5Kq
Norman API Cross-site Scripting Vulnerability
The attack vector was identified as a Reflected XSS.
Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.
The changes addressed by this fix are:
- Encode input that comes from the request URL before adding it to the response.
- The request input is escaped by changing the URL construction that is used for links to use
Patched versions include the following commits:
There is no direct mitigation besides updating Norman API to a patched version.
If you have any questions or comments about this advisory:
- Reach out to the SUSE Rancher Security team for security-related inquiries.
- Open an issue in the Rancher repository.
- Verify with our support matrix and product support lifecycle.
Source: GitHub Advisory Database
Published: 22 days ago
Updated: 22 days ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Identifiers: GHSA-r8f4-hv23-6qp6, CVE-2023-32193
Fixed in: 0.0.0-20240207153100-3bb70b772b52