GHSA-hv6m-qj65-26q3

Suggest an improvement
Source
https://github.com/advisories/GHSA-hv6m-qj65-26q3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-hv6m-qj65-26q3/GHSA-hv6m-qj65-26q3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hv6m-qj65-26q3
Aliases
  • CVE-2024-50637
Published
2024-11-06T18:31:11Z
Modified
2024-11-06T20:42:16.364814Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
UnoPim Cross-site Scripting vulnerability
Details

UnoPim 0.1.3 and below is vulnerable to Cross Site Scripting (XSS) in the Create User function.

The vulnerability allows attackers to perform XSS in SVG file extension, which can be used to stealing cookies.

Database specific
{
    "nvd_published_at": "2024-11-06T17:15:20Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-06T20:21:56Z"
}
References

Affected packages

Packagist / unopim/unopim

Package

Name
unopim/unopim
Purl
pkg:composer/unopim/unopim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.4

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3