GHSA-pcfx-g2j2-f6f6

Suggest an improvement
Source
https://github.com/advisories/GHSA-pcfx-g2j2-f6f6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-pcfx-g2j2-f6f6/GHSA-pcfx-g2j2-f6f6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pcfx-g2j2-f6f6
Aliases
Published
2024-02-29T22:14:49Z
Modified
2024-03-21T18:32:49.542762Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Docassemble HTML and javascript injection
Details

Impact

A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain <script> tags allowing JavaScript to execute on the page.

Patches

The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.

Workarounds

If upgrading is not possible, manually apply the changes of 4801ac7 and restart the server (e.g., by pressing Save on the Configuration screen).

Credit

The vulnerability was discovered by Riyush Ghimire (@richighimi).

For more information

If you have any questions or comments about this advisory:

Database specific
{
    "nvd_published_at": "2024-03-21T02:52:19Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-29T22:14:49Z"
}
References

Affected packages

PyPI / docassemble-webapp

Package

Name
docassemble-webapp
View open source insights on deps.dev
Purl
pkg:pypi/docassemble-webapp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.97

Affected versions

0.*

0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27
0.3.28
0.3.29
0.3.30
0.3.31
0.3.32
0.3.33
0.3.34
0.3.35
0.3.36
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.4.16
0.4.17
0.4.18
0.4.19
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.4.27
0.4.28
0.4.29
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.36
0.4.37
0.4.38
0.4.39
0.4.40
0.4.41
0.4.42
0.4.43
0.4.44
0.4.45
0.4.46
0.4.47
0.4.48
0.4.49
0.4.50
0.4.51
0.4.52
0.4.53
0.4.54
0.4.55
0.4.56
0.4.57
0.4.58
0.4.59
0.4.60
0.4.61
0.4.62
0.4.63
0.4.64
0.4.65
0.4.66
0.4.67
0.4.68
0.4.69
0.4.70
0.4.71
0.4.72
0.4.73
0.4.74
0.4.75
0.4.76
0.4.77
0.4.78
0.4.79
0.4.80
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.20
0.5.21
0.5.22
0.5.23
0.5.24
0.5.25
0.5.26
0.5.27
0.5.28
0.5.29
0.5.30
0.5.31
0.5.32
0.5.33
0.5.34
0.5.35
0.5.36
0.5.37
0.5.38
0.5.39
0.5.40
0.5.41
0.5.42
0.5.43
0.5.44
0.5.45
0.5.46
0.5.47
0.5.48
0.5.49
0.5.50
0.5.51
0.5.52
0.5.53
0.5.54
0.5.55
0.5.56
0.5.57
0.5.58
0.5.59
0.5.60
0.5.61
0.5.62
0.5.63
0.5.64
0.5.65
0.5.66
0.5.67
0.5.68
0.5.69
0.5.70
0.5.71
0.5.72
0.5.73
0.5.74
0.5.75
0.5.76
0.5.77
0.5.78
0.5.79
0.5.80
0.5.81
0.5.82
0.5.83
0.5.84
0.5.85
0.5.86
0.5.87
0.5.88
0.5.89
0.5.90
0.5.91
0.5.92
0.5.93
0.5.94
0.5.95
0.5.96
0.5.97
0.5.98
0.5.99
0.5.100
0.5.101
0.5.102
0.5.103
0.5.104
0.5.105
0.5.106
0.5.107
0.5.108
0.5.109
0.5.110
0.5.111

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.32
1.1.33
1.1.34
1.1.35
1.1.36
1.1.37
1.1.38
1.1.39
1.1.40
1.1.41
1.1.42
1.1.43
1.1.44
1.1.45
1.1.46
1.1.47
1.1.48
1.1.49
1.1.50
1.1.51
1.1.52
1.1.53
1.1.54
1.1.55
1.1.56
1.1.57
1.1.58
1.1.59
1.1.60
1.1.61
1.1.62
1.1.63
1.1.64
1.1.65
1.1.66
1.1.67
1.1.68
1.1.69
1.1.70
1.1.71
1.1.72
1.1.73
1.1.74
1.1.75
1.1.76
1.1.77
1.1.78
1.1.79
1.1.80
1.1.81
1.1.82
1.1.83
1.1.84
1.1.85
1.1.86
1.1.87
1.1.88
1.1.89
1.1.90
1.1.91
1.1.92
1.1.93
1.1.94
1.1.95
1.1.96
1.1.97
1.1.98
1.1.99
1.1.100
1.1.101
1.1.102
1.1.103
1.1.104
1.1.105
1.1.106
1.1.107
1.1.108
1.1.109
1.1.110
1.1.111
1.1.112
1.1.113
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.2.25
1.2.26
1.2.27
1.2.28
1.2.29
1.2.30
1.2.31
1.2.32
1.2.33
1.2.34
1.2.35
1.2.36
1.2.37
1.2.38
1.2.39
1.2.40
1.2.41
1.2.42
1.2.43
1.2.44
1.2.45
1.2.46
1.2.47
1.2.48
1.2.49
1.2.50
1.2.51
1.2.52
1.2.53
1.2.54
1.2.55
1.2.56
1.2.57
1.2.58
1.2.59
1.2.60
1.2.61
1.2.62
1.2.63
1.2.64
1.2.65
1.2.66
1.2.67
1.2.68
1.2.69
1.2.70
1.2.71
1.2.72
1.2.73
1.2.74
1.2.75
1.2.76
1.2.77
1.2.78
1.2.79
1.2.80
1.2.81
1.2.82
1.2.83
1.2.84
1.2.85
1.2.86
1.2.87
1.2.88
1.2.89
1.2.90
1.2.91
1.2.92
1.2.93
1.2.94
1.2.95
1.2.96
1.2.97
1.2.98
1.2.99
1.2.100
1.2.101
1.2.102
1.2.103
1.2.104
1.2.105
1.2.106
1.2.107
1.2.108
1.2.109
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.3.17
1.3.18
1.3.19
1.3.20
1.3.21
1.3.22
1.3.23
1.3.24
1.3.25
1.3.26
1.3.27
1.3.28
1.3.29
1.3.30
1.3.31
1.3.32
1.3.33
1.3.34
1.3.35
1.3.36
1.3.37
1.3.38
1.3.39
1.3.40
1.3.41
1.3.42
1.3.43
1.3.44
1.3.45
1.3.46
1.3.47
1.3.48
1.3.49
1.3.50
1.3.51
1.3.52
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19
1.4.20
1.4.21
1.4.22
1.4.23
1.4.24
1.4.25
1.4.26
1.4.27
1.4.28
1.4.29
1.4.30
1.4.31
1.4.32
1.4.33
1.4.34
1.4.35
1.4.36
1.4.37
1.4.38
1.4.39
1.4.40
1.4.41
1.4.42
1.4.43
1.4.44
1.4.45
1.4.46
1.4.47
1.4.48
1.4.49
1.4.50
1.4.51
1.4.52
1.4.53
1.4.54
1.4.55
1.4.56
1.4.57
1.4.58
1.4.59
1.4.60
1.4.61
1.4.62
1.4.63
1.4.64
1.4.65
1.4.66
1.4.67
1.4.68
1.4.69
1.4.70
1.4.71
1.4.72
1.4.73
1.4.74
1.4.75
1.4.76
1.4.77
1.4.78
1.4.79
1.4.80
1.4.81
1.4.82
1.4.83
1.4.84
1.4.85
1.4.86
1.4.87
1.4.88
1.4.89
1.4.90
1.4.91
1.4.92
1.4.93
1.4.94
1.4.95
1.4.96