CVE-2024-41675

CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*

History

23 Aug 2024, 17:07

Type Values Removed Values Added
CPE cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*
First Time Okfn
Okfn ckan
CVSS v2 : unknown
v3 : 6.8
v2 : unknown
v3 : 6.1
Summary
  • (es) CKAN es un sistema de gestión de datos de código abierto para impulsar centros y portales de datos. El complemento de vista Datatables no escapó correctamente de los datos de registro provenientes del DataStore, lo que generó un posible vector XSS. Sitios que ejecutan CKAN >= 2.7.0 con el complemento datatables_view activado. Este es un complemento incluido en el núcleo de CKAN, que no está activado de forma predeterminada pero se usa ampliamente para obtener una vista previa de datos tabulares. Esta vulnerabilidad se ha solucionado en CKAN 2.10.5 y 2.11.0.
References () https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688 - () https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688 - Patch
References () https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1 - () https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1 - Patch
References () https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32 - () https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32 - Vendor Advisory

21 Aug 2024, 16:06

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 15:15

Updated : 2024-08-23 17:07


NVD link : CVE-2024-41675

Mitre link : CVE-2024-41675

CVE.ORG link : CVE-2024-41675


JSON object : View

Products Affected

okfn

  • ckan
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')