CVE-2024-42346

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-42346
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42346.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42346
Aliases
Published
2024-09-20T18:53:01.373Z
Modified
2026-05-20T08:11:24.196160867Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Stored Cross Site Scripting (Stored XSS) in Galaxy
Details

Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42346.json"
}
References

Affected packages

Git / github.com/galaxyproject/galaxy

Affected ranges

Type
GIT
Repo
https://github.com/galaxyproject/galaxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
940a87c8bf248c0d1cecd61b2e19fd37ce097777

Affected versions

galaxy-tool-util-20.*
galaxy-tool-util-20.5.0.dev1
galaxy-tool-util-20.5.0.dev2
v13.*
v13.01
v24.*
v24.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42346.json"