HSEC-2023-0008
See a problem?- Import Source
- https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0008.json
- JSON Data
- https://api.osv.dev/v1/vulns/HSEC-2023-0008
- Aliases
- Published
- 2025-11-14T14:45:34Z
- Modified
- 2025-11-14T18:15:37.223382Z
- Summary
- Stored XSS in hledger-web
- Details
-
Stored XSS in hledger-web
An issue was discovered in hledger-web < 1.23. A Stored Cross-Site Scripting (XSS) vulnerability exists in
toBloodhoundJsonthat allows an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with theatobfunction.hledger-web forms sanitise obvious JavaScript, but not obfuscated JavaScript (see OWASP Filter Evasion Cheat Sheet). This means hledger-web instances, especially anonymously-writable ones like
demo.hledger.org, could be loaded with malicious JavaScript to be executed by subsequent visitors.Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen Arsenović.
- Database specific
{ "home": "https://github.com/haskell/security-advisories", "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export", "repository": "https://github.com/haskell/security-advisories" }- References
Affected packages
Hackage / hledger-web
Package
- Name
- hledger-web
- Purl
- pkg:hackage/hledger-web
Severity
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator