GHSA-fwhv-9phj-wrj5

Source

https://github.com/advisories/GHSA-fwhv-9phj-wrj5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-fwhv-9phj-wrj5/GHSA-fwhv-9phj-wrj5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fwhv-9phj-wrj5

Aliases

CVE-2023-0325

Published

2023-04-05T00:30:39Z

Modified

2024-02-17T05:36:44.350117Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Uvdesk vulnerable to stored cross-site scripting (XSS)

Details

Uvdesk version 1.1.1 allows an unauthenticated remote attacker to exploit a stored XSS in the application. This is possible because the application does not correctly validate the message sent by the clients in the ticket.

Database specific

{
    "nvd_published_at": "2023-04-04T22:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-11T21:58:17Z"
}

References

Affected packages

Packagist / uvdesk/community-skeleton

Package

Name: uvdesk/community-skeleton
Purl: pkg:composer/uvdesk/community-skeleton

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.1

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.16

v1.0.17

v1.0.18

v1.1.0

v1.1.1