GHSA-7rw2-3hhp-rc46
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7rw2-3hhp-rc46
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-7rw2-3hhp-rc46/GHSA-7rw2-3hhp-rc46.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7rw2-3hhp-rc46
- Aliases
- Published
- 2024-02-21T00:24:56Z
- Modified
- 2024-02-21T00:41:55.597371Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Cross-site Scripting Vulnerability in Statement Browser
- Details
-
Impact
A maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser.
Patches
The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS.
Workarounds
No workarounds exist, we recommend upgrading to version 1.2.17 of the library or version 0.7.5 of SQL LRS immediately.
References
- Database specific
{ "nvd_published_at": "2024-02-20T22:15:08Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-21T00:24:56Z" }- References
-
- https://github.com/yetanalytics/lrs/security/advisories/GHSA-7rw2-3hhp-rc46
- https://nvd.nist.gov/vuln/detail/CVE-2024-26140
- https://github.com/yetanalytics/lrs/commit/d7f4883bc2252337d25e8bba2c7f9d172f5b0621
- https://clojars.org/com.yetanalytics/lrs/versions/1.2.17
- https://github.com/yetanalytics/lrs
- https://github.com/yetanalytics/lrs/releases/tag/v1.2.17
- https://github.com/yetanalytics/lrsql/releases/tag/v0.7.5
Affected packages
Maven / com.yetanalytics:lrs
Package
- Name
- com.yetanalytics:lrs
- View open source insights on deps.dev
- Purl
- pkg:maven/com.yetanalytics/lrs