CVE-2024-41809

OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/openobserve/openobserve/blob/v0.5.2/web/src/views/MemberSubscription.vue#L32
https://github.com/openobserve/openobserve/commit/2334377ebc8b74beb06ab3e5712dbdb1be1eff02
https://github.com/openobserve/openobserve/commit/64587261968217dfb8af4c4f6054d58bbc6d331d
https://github.com/openobserve/openobserve/security/advisories/GHSA-rw8w-37p9-mrrp

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-25 21:15

Updated : 2024-07-26 12:38

NVD link : CVE-2024-41809

Mitre link : CVE-2024-41809

CVE.ORG link : CVE-2024-41809

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.2 /10