CVE-2023-26146

All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20	Exploit
https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-09-29 05:15

Updated : 2023-11-07 04:09

NVD link : CVE-2023-26146

Mitre link : CVE-2023-26146

CVE.ORG link : CVE-2023-26146

JSON object : View

Products Affected

ithewei

libhv

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-26146", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-09-29T05:15:46.540", "references": [{"url": "https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20", "tags": ["Exploit"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered."}, {"lang": "es", "value": "Todas las versiones del paquete ithewei/libhv son vulnerables a Cross-Site Scripting (XSS), de modo que cuando la aplicaci\u00f3n entrega un archivo con un nombre que contiene un payload malicioso, el nombre del archivo se muestra sin la sanitizaci\u00f3n adecuada cuando se procesa."}], "lastModified": "2023-11-07T04:09:28.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02035540-1A6E-46F6-A215-8ADBE8A24F04"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}