GHSA-j739-gw6q-f4c7

Source

https://github.com/advisories/GHSA-j739-gw6q-f4c7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-j739-gw6q-f4c7/GHSA-j739-gw6q-f4c7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j739-gw6q-f4c7

Aliases

CVE-2020-29653

Published

2022-04-14T00:00:19Z

Modified

2024-02-20T05:33:34.202221Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

HTML Injection in Froxlor

Details

Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.

Note: Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, but AntiXSS only provides partial protection for this particular issue.

Database specific

{
    "nvd_published_at": "2022-04-13T13:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:41:49Z"
}

References

Affected packages

Packagist / froxlor/froxlor

Package

Name: froxlor/froxlor
Purl: pkg:composer/froxlor/froxlor

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.10.22

Affected versions

0.*

0.10.0-rc1

0.10.0-rc2

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.10.11

0.10.12

0.10.13

0.10.14

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.20

0.10.21

0.10.22