GHSA-c6cw-g7fc-4gwc

Suggest an improvement
Source
https://github.com/advisories/GHSA-c6cw-g7fc-4gwc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-c6cw-g7fc-4gwc/GHSA-c6cw-g7fc-4gwc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-c6cw-g7fc-4gwc
Aliases
Published
2024-10-07T14:55:30Z
Modified
2024-10-08T14:23:07.234339Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Lara-zeus Dynamic Dashboard and Artemis do not validate paragraph widget values which can be used for XSS
Details

Summary

If values passed to a paragraph widget are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a paragraph widget is rendered.

Versions of dynamic dashboard from v3.0.0 through v3.0.2 are affected.

Please upgrade to dynamic dashboard v3.0.2.

PoC

PoC will be published in a few weeks, once developers have had a chance to upgrade their apps.

Response

This vulnerability (in paragraph widget only) was reported by Raghav Sharma, who reported the issue and patched the issue during the morning of 05/10/2024. Thank you Raghav Sharma.

The review process concluded the same day at night, which revealed the issue was also present in paragraph widget. This was fixed the same day and dynamic dashboard v3.0.2 followed.

Note:

if you're published the view (blade files), you have to republish them or check the changes on release to update the affected file.

Database specific
{
    "nvd_published_at": "2024-10-07T22:15:03Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-07T14:55:30Z"
}
References

Affected packages

Packagist / lara-zeus/dynamic-dashboard

Package

Name
lara-zeus/dynamic-dashboard
Purl
pkg:composer/lara-zeus/dynamic-dashboard

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.2

Affected versions

v3.*

v3.0.0
v3.0.1

Database specific

{
    "last_known_affected_version_range": "<= 3.0.1"
}

Packagist / lara-zeus/artemis

Package

Name
lara-zeus/artemis
Purl
pkg:composer/lara-zeus/artemis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.7

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6

Database specific

{
    "last_known_affected_version_range": "<= 1.0.6"
}