Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:galaxyproject:galaxy:*:*:*:*:*:*:*:*

Fri, 20 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Sep 2024 19:00:00 +0000

Type Values Removed Values Added
Description Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Stored Cross Site Scripting (Stored XSS) in Galaxy
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-09-20T20:09:40.416Z

Reserved: 2024-07-30T14:01:33.921Z

Link: CVE-2024-42346

cve-icon Vulnrichment

Updated: 2024-09-20T20:09:33.358Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-20T19:15:15.547

Modified: 2025-08-15T14:19:48.833

Link: CVE-2024-42346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:00:51Z