GHSA-q76r-7p4q-mqpw

Suggest an improvement
Source
https://github.com/advisories/GHSA-q76r-7p4q-mqpw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-q76r-7p4q-mqpw/GHSA-q76r-7p4q-mqpw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q76r-7p4q-mqpw
Aliases
  • CVE-2024-2001
Published
2024-02-29T15:32:26Z
Modified
2024-02-29T23:42:08.920770Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Cockpit CMS Cross-Site Scripting vulnerability
Details

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

Database specific 
{
    "nvd_published_at": "2024-02-29T14:15:45Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-29T23:27:17Z"
}
References

Affected packages

Packagist / cockpit-hq/cockpit

Package

Name
cockpit-hq/cockpit
Purl
pkg:composer/cockpit-hq/cockpit

Affected ranges

Affected versions

2.*

2.7.0