Lucene search

GitHub Advisory DatabaseGHSA-PCHF-755W-JJ6V

HistoryMay 17, 2022 - 1:59 a.m.

QooxDoo XSS in Callback Parameter

2022-05-1701:59:37

CWE-79

GitHub Advisory Database

github.com

cross-site scripting

qooxdoo

remote attackers

arbitrary script

html

callback parameter

vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.2

Confidence

High

EPSS

0.01

Percentile

84.0%

JSON

Cross-site scripting (XSS) vulnerability in framework/source/resource/qx/test/jsonp_primitive.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to inject arbitrary web script or HTML via the callback parameter.

Affected configurations

Vulners

Node

qooxdooqooxdooRange≤1.3

VendorProductVersionCPE
qooxdooqooxdoo*cpe:2.3:a:qooxdoo:qooxdoo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
qooxdoo	qooxdoo	*	cpe:2.3:a:qooxdoo:qooxdoo::::::::

References

www.exploit-db.com/exploits/17127

exchange.xforce.ibmcloud.com/vulnerabilities/66574

github.com/advisories/GHSA-pchf-755w-jj6v

nvd.nist.gov/vuln/detail/CVE-2011-1714

web.archive.org/web/20110410180449/blog.eyeos.org/en/2011/04/07/about-some-eyeos-security-issues/

web.archive.org/web/20201207203617/www.autosectools.com/Advisories/eyeOS.2.3_Reflected.Cross-site.Scripting_172.html

web.archive.org/web/20201207203620/www.securityfocus.com/bid/47184

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.2

Confidence

High

EPSS

0.01

Percentile

84.0%

JSON

Related for GHSA-PCHF-755W-JJ6V