GHSA-vxh3-mvv7-265j

Suggest an improvement
Source
https://github.com/advisories/GHSA-vxh3-mvv7-265j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-vxh3-mvv7-265j/GHSA-vxh3-mvv7-265j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vxh3-mvv7-265j
Aliases
Published
2019-07-16T00:52:15Z
Modified
2024-09-23T16:39:00.197245Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Cross-site scripting invenio-records
Details

Cross-Site Scripting (XSS) vulnerability in administration interface

Impact

A Cross-Site Scripting (XSS) vulnerability was discovered when rendering JSON for a record in the administration interface. The vulnerability could be exploited by e.g. a user who had access to upload a new record, that an admin user would then later view in the admin interface.

Patches

All supported versions of Invenio-Records have been patched. You should upgrade to either v1.0.1, v1.1.1 or v1.2.2

For more information

If you have any questions or comments about this advisory: * Email us at info@inveniosoftware.org

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:58:55Z"
}
References

Affected packages

PyPI / invenio-records

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.2

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.4.post1

1.*

1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0a8
1.0.0a9
1.0.0a10
1.0.0a11
1.0.0a12
1.0.0a14
1.0.0a15
1.0.0a16
1.0.0a17
1.0.0b1
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0
1.0.1

PyPI / invenio-records

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.0
Fixed
1.1.1

Affected versions

1.*

1.1.0

PyPI / invenio-records

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2

Affected versions

1.*

1.2.0
1.2.1