GHSA-ff72-ff42-c3gw

Suggest an improvement
Source
https://github.com/advisories/GHSA-ff72-ff42-c3gw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-ff72-ff42-c3gw/GHSA-ff72-ff42-c3gw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ff72-ff42-c3gw
Aliases
Published
2024-02-17T06:30:34Z
Modified
2024-06-28T15:58:25.767666Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in github.com/greenpau/caddy-security
Details

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions.

References

Affected packages

Go / github.com/greenpau/caddy-security

Package

Name
github.com/greenpau/caddy-security
View open source insights on deps.dev
Purl
pkg:golang/github.com/greenpau/caddy-security

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.23