Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mdjgtcTM5Zi1tZ2Zn

Cross-site Scripting in invenio-communities

Cross-Site Scripting (XSS) vulnerability in Jinja templates

Impact

A Cross-Site Scripting (XSS) vulnerability was discovered in two Jinja templates in the Invenio-Communities module. The vulnerability allows a user to create a new community and include script element tags inside the description and page fields.

Patches

The problem has been patched in v1.0.0a20.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-mfv8-q39f-mgfg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mdjgtcTM5Zi1tZ2Zn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 3 months ago


CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00054
EPSS Percentile: 0.23536

Identifiers: GHSA-mfv8-q39f-mgfg, CVE-2019-1020005
References: Repository: https://github.com/inveniosoftware/invenio-communities
Blast Radius: 8.0

Affected Packages

pypi:invenio-communities
Dependent packages: 5
Dependent repositories: 30
Downloads: 15,583 last month
Affected Version Ranges: <= 1.0.0a19
Fixed in: 1.0.0a20
All affected versions: 1.0.0-a1, 1.0.0-a10, 1.0.0-a11, 1.0.0-a12, 1.0.0-a13, 1.0.0-a14, 1.0.0-a15, 1.0.0-a16, 1.0.0-a17, 1.0.0-a18, 1.0.0-a19
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.11, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.7.0, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.8.0, 7.9.0, 7.10.0, 7.10.1, 7.11.0, 7.12.0, 7.12.1, 7.13.0, 7.13.1, 7.14.0, 7.15.0, 7.15.1, 7.15.2, 7.15.3, 7.16.0, 7.16.1, 7.16.2, 7.16.3, 7.16.4, 7.16.5, 7.17.0, 7.18.0, 8.0.0, 9.0.0, 10.0.0, 10.1.0, 11.0.0, 11.1.0, 11.1.1, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.8, 13.0.9, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0, 14.5.1, 14.5.2, 14.5.3, 14.5.4, 14.6.0, 14.6.1, 14.7.0, 14.8.0, 14.9.0, 14.10.0, 15.0.0, 15.1.0, 15.1.1, 15.2.0, 15.2.1, 15.2.2, 16.0.0, 17.0.0, 17.1.0, 17.1.1, 17.1.2, 17.1.3, 17.2.0, 17.3.0, 17.3.1, 17.3.2, 17.4.0, 17.5.0, 17.5.1