CVE-2023-40024

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40024

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40024.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40024

Aliases

GHSA-6xcx-gx7r-rccj

Related

GHSA-6xcx-gx7r-rccj

Published

2023-08-14T20:15:12Z

Modified

2025-01-14T11:54:07.518798Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the license_details_view function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release 32.5.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/nexb/scancode.io

Affected ranges

Type: GIT
Repo: https://github.com/nexb/scancode.io
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8bbf0c08f2a95b8f0bba051f549e2b3d298b6383

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

21.*

21.4.5

v21.*

v21.4.14

v21.4.28

v21.5.12

v21.6.10

v21.8.2

v21.9.6

v30.*

v30.0.0

v30.0.1

v30.1.0

v30.1.1

v30.2.0

v31.*

v31.0.0

v32.*

v32.0.0

v32.0.1

v32.1.0

v32.2.0

v32.3.0

v32.4.0

v32.5.0

v32.5.1