GHSA-3m3h-v9hv-9j4h

Source

https://github.com/advisories/GHSA-3m3h-v9hv-9j4h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-3m3h-v9hv-9j4h/GHSA-3m3h-v9hv-9j4h.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3m3h-v9hv-9j4h

Aliases

Published

2021-12-02T17:49:40Z

Modified

2024-11-19T18:40:55.205905Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Cross-site Scripting in django-wiki

Details

In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.

Database specific

{
    "nvd_published_at": "2021-11-23T20:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2021-11-24T20:01:39Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / wiki

Package

Name: wiki; View open source insights on deps.dev
Purl: pkg:pypi/wiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.0.20

Fixed

0.7.9

Affected versions

0.*

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24

0.0.24.1

0.0.24.2

0.0.24.3

0.0.24.4

0.0.24.4.post1

0.1.dev20160119155955

0.1b0

0.1

0.1.1

0.1.2

0.2b1

0.2b2

0.2

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3b1

0.3b2

0.3b3

0.3b4

0.3rc1

0.3

0.3.1

0.4a1

0.4a2

0.4a3

0.4a4

0.4a5

0.4b1

0.4b2

0.4b3

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.5.dev20181021091629

0.5

0.6b1

0.6b2

0.6

0.7

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8