Lucene search

GitHub Advisory DatabaseGHSA-WW7P-8GFG-V82R

HistoryAug 05, 2024 - 9:29 p.m.

Scrypted Cross-site Scripting vulnerability

2024-08-0521:29:22

CWE-79

GitHub Advisory Database

github.com

scrypted

cross-site scripting

vulnerability

javascript scheme

arbitrary code

security issue

software

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.1

Confidence

High

JSON

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior (corresponding to @scrypted/core 0.1.142 and prior), a reflected cross-site scripting vulnerability exists in the login page via the redirect_uri parameter. By specifying a url with the javascript scheme (javascript:), an attacker can run arbitrary JavaScript code after the login. As of time of publication, no known patches are available.

Affected configurations

Vulners

Node

scryptedcoreRange≤0.1.142

VendorProductVersionCPE
scryptedcore*cpe:2.3:a:scrypted:core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
scrypted	core	*	cpe:2.3:a:scrypted:core::::::::

References

github.com/advisories/GHSA-ww7p-8gfg-v82r

github.com/koush/scrypted/blob/v0.55.0/plugins/core/ui/src/Login.vue#L79

nvd.nist.gov/vuln/detail/CVE-2023-47623

securitylab.github.com/advisories/GHSL-2023-218_GHSL-2023-219_scrypted

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.1

Confidence

High

JSON

Related for GHSA-WW7P-8GFG-V82R