GHSA-f2c5-997w-7f5c

Suggest an improvement
Source
https://github.com/advisories/GHSA-f2c5-997w-7f5c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f2c5-997w-7f5c/GHSA-f2c5-997w-7f5c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f2c5-997w-7f5c
Aliases
Published
2021-09-20T20:42:41Z
Modified
2023-11-01T04:55:55.891539Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in peertube
Details

peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It was found that one could upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers.

Database specific 
{
    "nvd_published_at": "2021-09-15T12:15:00Z",
    "github_reviewed_at": "2021-09-16T17:32:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

npm / peertube

Package

Name
peertube
View open source insights on deps.dev
Purl
pkg:npm/peertube

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.0