CVE-2023-28158

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28158

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28158.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-28158

Aliases

GHSA-qf34-f43r-gv9p

Published

2023-03-29T13:15:08Z

Modified

2024-09-02T20:55:33Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.

References

https://lists.apache.org/thread/8pm6d5y9cptznm0bdny3n8voovmm0dtt
http://www.openwall.com/lists/oss-security/2023/04/18/2

Affected packages

Git / github.com/apache/archiva

Affected ranges

Type: GIT
Repo: https://github.com/apache/archiva
Events: Introduced

c4ee3fbb9d55a0911c3fc432c45286ac2a03c02b

Fixed

4a4521e749a56adec068a4308a3f10336fc4319f