CVE-2023-46448

Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/	Exploit Third Party Advisory
https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:dmpop:mejiro:*:*:*:*:*:*:*:*

History

09 Nov 2023, 15:55

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537 -~~	(MISC) https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537 - Patch
References	~~(MISC) https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/ -~~	(MISC) https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/ - Exploit, Third Party Advisory
CWE		CWE-79
First Time		Dmpop Dmpop mejiro
CPE		cpe:2.3:a:dmpop:mejiro::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1

01 Nov 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-01 22:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-46448

Mitre link : CVE-2023-46448

CVE.ORG link : CVE-2023-46448

JSON object : View

Products Affected

dmpop

mejiro

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-46448", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-11-01T22:15:08.730", "references": [{"url": "https://blog.0xzon.dev/2023-10-15-Mejiro-Reflected-XSS-Via-Remote-File-Inclusion-CVE-2023-46448/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/dmpop/mejiro/commit/309639339f5816408865902befe8c90cb6862537", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada en dmpop Mejiro Commit Versions anteriores a 3096393 permite a los atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de una cadena manipulada en metadatos de im\u00e1genes cargadas."}], "lastModified": "2023-11-09T15:55:49.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dmpop:mejiro:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84F44AB1-6106-420F-A03A-4FA2EF8D2CAB", "versionEndExcluding": "2023-10-15"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}