GHSA-mfv8-q39f-mgfg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mfv8-q39f-mgfg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mfv8-q39f-mgfg/GHSA-mfv8-q39f-mgfg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mfv8-q39f-mgfg
- Aliases
- Published
- 2019-07-16T00:52:26Z
- Modified
- 2024-09-20T22:02:00.089075Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Cross-site Scripting in invenio-communities
- Details
-
Cross-Site Scripting (XSS) vulnerability in Jinja templates
Impact
A Cross-Site Scripting (XSS) vulnerability was discovered in two Jinja templates in the Invenio-Communities module. The vulnerability allows a user to create a new community and include script element tags inside the description and page fields.
Patches
The problem has been patched in v1.0.0a20.
For more information
If you have any questions or comments about this advisory: * Email us at info@inveniosoftware.org
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:46:01Z" }- References
-
- https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg
- https://nvd.nist.gov/vuln/detail/CVE-2019-1020005
- https://github.com/inveniosoftware/invenio-communities/commit/505da72c5acd7dfbd4148f884c73c9c3372b76f4
- https://github.com/advisories/GHSA-mfv8-q39f-mgfg
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-communities/PYSEC-2019-25.yaml
Affected packages
PyPI / invenio-communities
Package
- Name
- invenio-communities
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-communities
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.0a20