ghsa-j739-gw6q-f4c7
Vulnerability from github
Published
2022-04-14 00:00
Modified
2022-04-22 20:41
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HTML Injection in Froxlor
Details

Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.

Note: Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, but AntiXSS only provides partial protection for this particular issue.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.10.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-29653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:41:49Z",
    "nvd_published_at": "2022-04-13T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.\n\nNote: Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, but AntiXSS only provides partial protection for this particular issue.",
  "id": "GHSA-j739-gw6q-f4c7",
  "modified": "2022-04-22T20:41:49Z",
  "published": "2022-04-14T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Froxlor/Froxlor/commit/6bf5eccc2477257b6c1760a3c3784ae7e0554ce0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Froxlor/Froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Froxlor/Froxlor/security/advisories"
    },
    {
      "type": "WEB",
      "url": "https://nozero.io/en/cve-2020-29653-froxlor-html-injection-dangling-markup"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTML Injection in Froxlor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.