GHSA-xr7p-8q82-878q

Source

https://github.com/advisories/GHSA-xr7p-8q82-878q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xr7p-8q82-878q/GHSA-xr7p-8q82-878q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xr7p-8q82-878q

Aliases

CVE-2022-23466

Published

2022-12-06T15:36:15Z

Modified

2025-07-08T19:39:18Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

teler dashboard vulnerable to DOM-based cross-site scripting (XSS)

Details

Description

teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.

Impact

This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.

Affected Version

This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.

Patches

This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.

Workarounds

Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to v2.0.0-rc.4 or v2.0.0-dev.2 & above.

References

https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2022-12-06T15:36:15Z",
    "nvd_published_at": "2022-12-06T18:15:00Z",
    "github_reviewed": true,
    "severity": "LOW"
}

References

Affected packages

Go / teler.app

Package

Name: teler.app; View open source insights on deps.dev
Purl: pkg:golang/teler.app

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0-rc

Fixed

2.0.0-rc.4

Database specific

last_known_affected_version_range

"<= 2.0.0-rc.3"

Go / teler.app

Package

Name: teler.app; View open source insights on deps.dev
Purl: pkg:golang/teler.app

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0-dev

Fixed

2.0.0-dev.2

Affected versions

2.*

2.0.0-dev

Go / teler.app

Package

Name: teler.app; View open source insights on deps.dev
Purl: pkg:golang/teler.app

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-20220625162531-2289e90590a9

Fixed

0.0.0-20221203202318-20f59eda2420

Go / teler.app

Package

Name: teler.app; View open source insights on deps.dev
Purl: pkg:golang/teler.app

Affected ranges

Type: SEMVER
Events: Introduced

1.2.3-0.20220625162531-2289e90590a9

Fixed

1.2.3-0.20221203202318-20f59eda2420