CVE-2023-26146

{"id": "CVE-2023-26146", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-09-29T05:15:46.540", "references": [{"url": "https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20", "tags": ["Exploit"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered."}, {"lang": "es", "value": "Todas las versiones del paquete ithewei/libhv son vulnerables a Cross-Site Scripting (XSS), de modo que cuando la aplicaci\u00f3n entrega un archivo con un nombre que contiene un payload malicioso, el nombre del archivo se muestra sin la sanitizaci\u00f3n adecuada cuando se procesa."}], "lastModified": "2024-11-21T07:50:52.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02035540-1A6E-46F6-A215-8ADBE8A24F04"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}