GHSA-fr62-mg2q-7wqv

Suggest an improvement
Source
https://github.com/advisories/GHSA-fr62-mg2q-7wqv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fr62-mg2q-7wqv/GHSA-fr62-mg2q-7wqv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fr62-mg2q-7wqv
Aliases
Published
2025-03-04T17:23:15Z
Modified
2025-03-11T17:16:40Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim
Details

Impact

The Pinecone Simulator (pineconesim) included in Pinecone up to commit https://github.com/matrix-org/pinecone/commit/ea4c33717fd74ef7d6f49490625a0fa10e3f5bbc is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconsim.

Patches

Commit https://github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd contains the fixes.

Workarounds

N/A

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

Database specific 
{
    "nvd_published_at": "2025-03-04T17:15:18Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "github_reviewed_at": "2025-03-04T17:23:15Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/matrix-org/pinecone

Package

Name
github.com/matrix-org/pinecone
View open source insights on deps.dev
Purl
pkg:golang/github.com/matrix-org/pinecone

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.11.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fr62-mg2q-7wqv/GHSA-fr62-mg2q-7wqv.json"