CVE-2020-13870 – verbb/comments

Package

Manager: composer
Name: verbb/comments
Vulnerable Version: >=0 <1.5.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00206 pctl0.42973

Details

Comments plugin stored Cross-site Scripting (XSS) via an asset volume name An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.

Metadata

Created: 2022-05-24T17:19:26Z
Modified: 2024-04-24T18:00:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-69ww-wv3j-mhg4/GHSA-69ww-wv3j-mhg4.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-69ww-wv3j-mhg4
Finding: F425
Auto approve: 1