logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-16095 kitodo/presentation

Package

Manager: composer
Name: kitodo/presentation
Vulnerable Version: >=0 <3.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00325 pctl0.54851

Details

Cross-site Scripting vulnerability in Kitodo.Presentation ### Impact Kitodo.Presentation fails to properly encode URL parameters for output in HTML making it vulnerable to Cross Site Scripting (XSS). Only sites using the `ListView`, `Navigation` or `PageView` plugins are affected. It also includes jQuery 3.4.1 which is known to be vulnerable against Cross Site Scripting, although there is currently no known way to exploit this in Kitodo.Presentation. ### Patches An updated version of Kitodo.Presentation is available on [GitHub](https://github.com/kitodo/kitodo-presentation/releases/tag/v3.1.2), [Packagist](https://packagist.org/packages/kitodo/presentation#v3.1.2) and in the [TYPO3 Extension Repository](https://extensions.typo3.org/extension/dlf/). Users are advised to update as soon as possible. The issue was also fixed in release 2.3.1 of the 2.x branch, although it is generally not recommended to run this branch since it depends on an outdated TYPO3 version. ### References TYPO3 Security Advisory [TYPO3-EXT-SA-2020-015](https://typo3.org/security/advisory/typo3-ext-sa-2020-015) jQuery Security Advisory [GHSA-gxr4-xjj5-5px2](https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2) Open Bug Bounty Report [OBB-1219978](https://www.openbugbounty.org/reports/1219978/) ### Contact If you have any questions or comments about this advisory: * [Open an issue](https://github.com/kitodo/kitodo-presentation/issues/new/choose) * Email us at [security@kitodo.org](mailto:security@kitodo.org)

Metadata

Created: 2020-07-31T17:39:22Z
Modified: 2024-06-03T18:36:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-fpqv-x9hm-35j9/GHSA-fpqv-x9hm-35j9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fpqv-x9hm-35j9
Finding: F008
Auto approve: 1