GHSA-xr7p-8q82-878q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xr7p-8q82-878q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xr7p-8q82-878q/GHSA-xr7p-8q82-878q.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xr7p-8q82-878q
- Aliases
- Related
- Published
- 2022-12-06T15:36:15Z
- Modified
- 2023-11-01T04:57:51.686039Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- teler dashboard vulnerable to DOM-based cross-site scripting (XSS)
- Details
-
Description
teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the
/eventsendpoint, the log data displayed on the dashboard are not sanitized.Impact
This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.
Affected Version
This issue was introduced from version
v2.0.0-rctov2.0.0-rc.3&v2.0.0-dev.Patches
This vulnerability has been fixed on version
v2.0.0-rc.4&v2.0.0-dev.2.Workarounds
Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to
v2.0.0-rc.4orv2.0.0-dev.2& above.References
- https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e
- Database specific
{ "nvd_published_at": "2022-12-06T18:15:00Z", "github_reviewed_at": "2022-12-06T15:36:15Z", "severity": "LOW", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Go / teler.app
Package
- Name
- teler.app
- View open source insights on deps.dev
- Purl
- pkg:golang/teler.app
Go / teler.app
Package
- Name
- teler.app
- View open source insights on deps.dev
- Purl
- pkg:golang/teler.app