CVE-2023-49078 - Vulnerability Details - OpenCVE

raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00568.

Key SSVC decision points have not yet been added.

Vendors	Products
Zediious	Raptor-web

Configuration 1 [-]

cpe:2.3:a:zediious:raptor-web:0.4.4:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/zediious/raptor-web/releases/tag/0.4.4.1
https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-28T18:15:24.447Z

Updated: 2024-08-02T21:46:29.244Z

Reserved: 2023-11-21T18:57:30.427Z

Link: CVE-2023-49078

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-28T19:15:07.397

Modified: 2024-11-21T08:32:46.477

Link: CVE-2023-49078

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.427Z", "datePublished": "2023-11-28T18:15:24.447Z", "dateUpdated": "2024-08-02T21:46:29.244Z"}, "containers": {"cna": {"title": "Cross-Site Scripting vulnerability in raptor-web 0.4.4", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}, {"name": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}], "affected": [{"vendor": "zediious", "product": "raptor-web", "versions": [{"version": "< 0.4.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-28T18:15:24.447Z"}, "descriptions": [{"lang": "en", "value": "raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1."}], "source": {"advisory": "GHSA-8r6g-fhh4-xhmq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.244Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}, {"name": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zediious:raptor-web:0.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "E59B46AE-B7E3-446D-B612-15849A930CD4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1."}, {"lang": "es", "value": "raptor-web es un CMS para comunidades de servidores de juegos que se puede utilizar para alojar informaci\u00f3n y realizar un seguimiento de los jugadores. En la versi\u00f3n 0.4.4 de raptor-web, es posible crear una URL maliciosa que dar\u00e1 como resultado una vulnerabilidad de cross-site scripting reflejado. Un par\u00e1metro de URL controlado por el usuario se carga en una plantilla interna que tiene el escape autom\u00e1tico deshabilitado. Esta es una vulnerabilidad de cross-site scripting que afecta a todas las implementaciones de \"raptor-web\" en la versi\u00f3n \"0.4.4\". Cualquier v\u00edctima que haga clic en un enlace malicioso se ver\u00e1 afectada. Este problema ha sido parcheado 0.4.4.1."}], "id": "CVE-2023-49078", "lastModified": "2024-11-21T08:32:46.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-28T19:15:07.397", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/zediious/raptor-web/releases/tag/0.4.4.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zediious/raptor-web/security/advisories/GHSA-8r6g-fhh4-xhmq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}