CVE-2023-49078 - OpenCVE

raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Zediious	Raptor-web

Configuration 1 [-]

cpe:2.3:a:zediious:raptor-web:0.4.4:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/zediious/raptor-web/releases/tag/0.4.4.1	Patch
https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq	Exploit Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-28T18:15:24.447Z

Updated: 2023-11-28T18:15:24.447Z

Reserved: 2023-11-21T18:57:30.427Z

Link: CVE-2023-49078

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-28T19:15:07.397

Modified: 2023-12-04T17:41:18.540

Link: CVE-2023-49078

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-49078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.427Z", "datePublished": "2023-11-28T18:15:24.447Z", "dateUpdated": "2023-11-28T18:15:24.447Z"}, "containers": {"cna": {"title": "Cross-Site Scripting vulnerability in raptor-web 0.4.4", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}, {"name": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}], "affected": [{"vendor": "zediious", "product": "raptor-web", "versions": [{"version": "< 0.4.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-28T18:15:24.447Z"}, "descriptions": [{"lang": "en", "value": "raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1."}], "source": {"advisory": "GHSA-8r6g-fhh4-xhmq", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zediious:raptor-web:0.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "E59B46AE-B7E3-446D-B612-15849A930CD4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1."}, {"lang": "es", "value": "raptor-web es un CMS para comunidades de servidores de juegos que se puede utilizar para alojar informaci\u00f3n y realizar un seguimiento de los jugadores. En la versi\u00f3n 0.4.4 de raptor-web, es posible crear una URL maliciosa que dar\u00e1 como resultado una vulnerabilidad de cross-site scripting reflejado. Un par\u00e1metro de URL controlado por el usuario se carga en una plantilla interna que tiene el escape autom\u00e1tico deshabilitado. Esta es una vulnerabilidad de cross-site scripting que afecta a todas las implementaciones de \"raptor-web\" en la versi\u00f3n \"0.4.4\". Cualquier v\u00edctima que haga clic en un enlace malicioso se ver\u00e1 afectada. Este problema ha sido parcheado 0.4.4.1."}], "id": "CVE-2023-49078", "lastModified": "2023-12-04T17:41:18.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-28T19:15:07.397", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}