Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/5xxx/CVE-2023-5950.json",
"cwe_ids": [
"CWE-79"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "0.7.0-4"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "rapid7"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "0.6.9-1"
},
{
"introduced": "0.7.0-NA"
},
{
"last_affected": "0.7.0-NA"
},
{
"introduced": "0.7.0-rc1"
},
{
"last_affected": "0.7.0-rc1"
},
{
"introduced": "0.7.0-3"
},
{
"last_affected": "0.7.0-3"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*",
"cpe:2.3:a:rapid7:velociraptor:0.7.0:-:*:*:*:*:*:*",
"cpe:2.3:a:rapid7:velociraptor:0.7.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:rapid7:velociraptor:0.7.0-3:*:*:*:*:*:*:*"
]
}