Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mdjgtcTM5Zi1tZ2Zn
Cross-site Scripting in invenio-communities
Cross-Site Scripting (XSS) vulnerability in Jinja templates
Impact
A Cross-Site Scripting (XSS) vulnerability was discovered in two Jinja templates in the Invenio-Communities module. The vulnerability allows a user to create a new community and include script element tags inside the description and page fields.
Patches
The problem has been patched in v1.0.0a20.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1mdjgtcTM5Zi1tZ2Zn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 3 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00054
EPSS Percentile: 0.23536
Identifiers: GHSA-mfv8-q39f-mgfg, CVE-2019-1020005
References:
- https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg
- https://nvd.nist.gov/vuln/detail/CVE-2019-1020005
- https://github.com/advisories/GHSA-mfv8-q39f-mgfg
- https://github.com/inveniosoftware/invenio-communities/commit/505da72c5acd7dfbd4148f884c73c9c3372b76f4
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-communities/PYSEC-2019-25.yaml
Blast Radius: 8.0
Affected Packages
pypi:invenio-communities
Dependent packages: 5Dependent repositories: 30
Downloads: 15,583 last month
Affected Version Ranges: <= 1.0.0a19
Fixed in: 1.0.0a20
All affected versions: 1.0.0-a1, 1.0.0-a10, 1.0.0-a11, 1.0.0-a12, 1.0.0-a13, 1.0.0-a14, 1.0.0-a15, 1.0.0-a16, 1.0.0-a17, 1.0.0-a18, 1.0.0-a19
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.11, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.7.0, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.8.0, 7.9.0, 7.10.0, 7.10.1, 7.11.0, 7.12.0, 7.12.1, 7.13.0, 7.13.1, 7.14.0, 7.15.0, 7.15.1, 7.15.2, 7.15.3, 7.16.0, 7.16.1, 7.16.2, 7.16.3, 7.16.4, 7.16.5, 7.17.0, 7.18.0, 8.0.0, 9.0.0, 10.0.0, 10.1.0, 11.0.0, 11.1.0, 11.1.1, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.8, 13.0.9, 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.5.0, 14.5.1, 14.5.2, 14.5.3, 14.5.4, 14.6.0, 14.6.1, 14.7.0, 14.8.0, 14.9.0, 14.10.0, 15.0.0, 15.1.0, 15.1.1, 15.2.0, 15.2.1, 15.2.2, 16.0.0, 17.0.0, 17.1.0, 17.1.1, 17.1.2, 17.1.3, 17.2.0, 17.3.0, 17.3.1, 17.3.2, 17.4.0, 17.5.0, 17.5.1