{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41675", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-18T15:21:47.486Z", "datePublished": "2024-08-21T14:34:31.424Z", "dateUpdated": "2024-08-22T13:35:13.240Z"}, "containers": {"cna": {"title": "CKAN has a Cross-site Scripting vector in the Datatables view plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32"}, {"name": "https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688"}, {"name": "https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1"}], "affected": [{"vendor": "ckan", "product": "ckan", "versions": [{"version": ">= 2.7.0, < 2.10.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-21T14:34:31.424Z"}, "descriptions": [{"lang": "en", "value": "CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0."}], "source": {"advisory": "GHSA-r3jc-vhf4-6v32", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T13:35:03.445288Z", "id": "CVE-2024-41675", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:35:13.240Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-22T13:35:03.445288Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:35:09.168Z"}}], "cna": {"title": "CKAN has a Cross-site Scripting vector in the Datatables view plugin", "source": {"advisory": "GHSA-r3jc-vhf4-6v32", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ckan", "product": "ckan", "versions": [{"status": "affected", "version": ">= 2.7.0, < 2.10.5"}]}], "references": [{"url": "https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32", "name": "https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688", "name": "https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1", "name": "https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-21T14:34:31.424Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41675", "state": "PUBLISHED", "dateUpdated": "2024-08-22T13:35:13.240Z", "dateReserved": "2024-07-18T15:21:47.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-21T14:34:31.424Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*", "matchCriteriaId": "A70EB437-0147-41E9-B781-D0F52995B0C4", "versionEndExcluding": "2.10.5", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0."}, {"lang": "es", "value": "CKAN es un sistema de gesti\u00f3n de datos de c\u00f3digo abierto para impulsar centros y portales de datos. El complemento de vista Datatables no escap\u00f3 correctamente de los datos de registro provenientes del DataStore, lo que gener\u00f3 un posible vector XSS. Sitios que ejecutan CKAN &gt;= 2.7.0 con el complemento datatables_view activado. Este es un complemento incluido en el n\u00facleo de CKAN, que no est\u00e1 activado de forma predeterminada pero se usa ampliamente para obtener una vista previa de datos tabulares. Esta vulnerabilidad se ha solucionado en CKAN 2.10.5 y 2.11.0."}], "id": "CVE-2024-41675", "lastModified": "2024-08-23T17:07:28.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-21T15:15:08.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ckan/ckan/commit/9e89ce8220ab1445e0bd85a67994a51d9d3d2688"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ckan/ckan/commit/d7dfe8c427b1c63c75d788a609f3b7d7620a25a1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ckan/ckan/security/advisories/GHSA-r3jc-vhf4-6v32"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}