GHSA-jfxf-4frr-9j3q

Source

https://github.com/advisories/GHSA-jfxf-4frr-9j3q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfxf-4frr-9j3q/GHSA-jfxf-4frr-9j3q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jfxf-4frr-9j3q

Published

2022-05-25T19:38:50Z

Modified

2024-12-07T05:48:12.619861Z

Summary

XSS in various backend modules due to (un)escaping in JS notification module

Details

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:38:50Z"
}

References

Affected packages

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3

Fixed

5.3.10

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.3.11

3.3.12

3.3.13

3.3.14

3.3.15

3.3.16

3.3.17

3.3.18

3.3.19

3.3.20

3.3.21

3.3.22

3.3.23

3.3.24

3.3.25

3.3.26

3.3.27

3.3.28

3.3.29

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.0.14

4.0.15

4.0.16

4.0.17

4.0.18

4.0.19

4.0.20

4.0.21

4.0.22

4.0.23

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.1.17

4.1.18

4.1.19

4.1.20

4.1.21

4.1.22

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.18

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.3.12

4.3.13

4.3.14

4.3.15

4.3.16

4.3.17

4.3.18

4.3.19

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.9

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0

Fixed

7.1.7

Affected versions

7.*

7.1.0

7.1.1

7.1.2

7.1.3

7.1.4

7.1.5

7.1.6

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0

Fixed

7.2.6

Affected versions

7.*

7.2.0

7.2.1

7.2.2

7.2.3

7.2.4

7.2.5

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3.0

Fixed

7.3.4

Affected versions

7.*

7.3.0

7.3.1

7.3.2

7.3.3

Packagist / neos/neos

Package

Name: neos/neos
Purl: pkg:composer/neos/neos

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.2

Affected versions

8.*

8.0.0

8.0.1