Last updated at Thu, 28 Dec 2023 14:44:20 GMT
This advisory covers a specific issue identified in 伶盗龙 和 disclosed by a security code review. We want to thank 马赛厄斯Kujala for working with the 伶盗龙 team to identify 和 rectify this issue. It has been fixed as of Version 0.7.0-4, released November 6, 2023.
CVSS·高·8.6/10 ·CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
- Scoring scenario: 一般
- attackVector: 网络
- attackComplexity: 低
- privilegesRequired: 没有一个
- userInteraction: 没有一个
- 范围: 不变
- confidentialityImpact: 高
- integrityImpact: 低
- availabilityImpact: 低
Rapid7 伶盗龙 versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-4 和 a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1). This issue affects the server only.
问题
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
修复
To remediate these vulnerabilities, 伶盗龙 users should upgrade their servers.
产品状态
Product affected: Rapid7 伶盗龙 prior to 0.7.0-4
学分
马赛厄斯Kujala
参考文献
文档.伶盗龙.app/blog/2023/2023-07-27-release-notes-0.7.0/
时间轴
- 2023-11-02 - Notification of the issue
- 2023-11-06 - Release 0.7.0-4 made available on Github