CVE-2023-26146 - OpenCVE

All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ithewei	Libhv

Configuration 1 [-]

cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*

References

Link	Resource
https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20	Exploit
https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2023-09-29T05:00:01.401Z

Updated: 2023-09-29T05:00:01.401Z

Reserved: 2023-02-20T10:28:48.929Z

Link: CVE-2023-26146

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-29T05:15:46.540

Modified: 2023-11-07T04:09:28.190

Link: CVE-2023-26146

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ithewei:libhv:*:*:*:*:*:*:*:*", "matchCriteriaId": "02035540-1A6E-46F6-A215-8ADBE8A24F04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered."}, {"lang": "es", "value": "Todas las versiones del paquete ithewei/libhv son vulnerables a Cross-Site Scripting (XSS), de modo que cuando la aplicaci\u00f3n entrega un archivo con un nombre que contiene un payload malicioso, el nombre del archivo se muestra sin la sanitizaci\u00f3n adecuada cuando se procesa."}], "id": "CVE-2023-26146", "lastModified": "2023-11-07T04:09:28.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-09-29T05:15:46.540", "references": [{"source": "report@snyk.io", "tags": ["Exploit"], "url": "https://gist.github.com/dellalibera/c53448135480cbe12257c4b413a90d20"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730766"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}