CVE-2022-23466 – teler.app

Package

Manager: go
Name: teler.app
Vulnerable Version: >=2.0.0-rc <2.0.0-rc.4 || =2.0.0-dev || >=2.0.0-dev <2.0.0-dev.2 || >=0.0.0-20220625162531-2289e90590a9 <0.0.0-20221203202318-20f59eda2420 || >=1.2.3-0.20220625162531-2289e90590a9 <1.2.3-0.20221203202318-20f59eda2420

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0011 pctl0.29982

Details

teler dashboard vulnerable to DOM-based cross-site scripting (XSS) ### Description teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. ### Impact This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users. ### Affected Version This issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` & `v2.0.0-dev`. ### Patches This vulnerability has been fixed on version `v2.0.0-rc.4` & `v2.0.0-dev.2`. ### Workarounds Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` & above. ### References - https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

Metadata

Created: 2022-12-06T15:36:15Z
Modified: 2025-07-08T19:39:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xr7p-8q82-878q/GHSA-xr7p-8q82-878q.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xr7p-8q82-878q
Finding: F008
Auto approve: 1