GHSA-mrwr-2945-fr22

Source

https://github.com/advisories/GHSA-mrwr-2945-fr22

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-mrwr-2945-fr22/GHSA-mrwr-2945-fr22.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mrwr-2945-fr22

Aliases

CVE-2021-32245

Published

2021-06-22T15:17:28Z

Modified

2023-11-08T04:05:53.320069Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-site scripting in PageKit

Details

In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" that will point to http://localhost/pagekit/storage/exp.svg. When a user comes along to click that link, it will trigger a XSS attack.

Database specific

{
    "nvd_published_at": "2021-06-16T21:15:00Z",
    "github_reviewed_at": "2021-06-17T17:32:02Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / pagekit/pagekit

Package

Name: pagekit/pagekit
Purl: pkg:composer/pagekit/pagekit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.18

Affected versions

0.*

0.8.8

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.11.0

0.11.1

0.11.2

0.11.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18