CVE-2023-46448

Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/	Exploit Third Party Advisory
https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:dmpop:mejiro:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-11-01 22:15

Updated : 2023-11-09 15:55

NVD link : CVE-2023-46448

Mitre link : CVE-2023-46448

CVE.ORG link : CVE-2023-46448

JSON object : View

Products Affected

dmpop

mejiro

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-46448", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-11-01T22:15:08.730", "references": [{"url": "https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada en dmpop Mejiro Commit Versions anteriores a 3096393 permite a los atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de una cadena manipulada en metadatos de im\u00e1genes cargadas."}], "lastModified": "2023-11-09T15:55:49.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dmpop:mejiro:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84F44AB1-6106-420F-A03A-4FA2EF8D2CAB", "versionEndExcluding": "2023-10-15"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}