CVE-2021-3780 – peertube

Package

Manager: npm
Name: peertube
Vulnerable Version: >=0 <3.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00344 pctl0.56277

Details

Cross-site Scripting in peertube peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It was found that one could upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers.

Metadata

Created: 2021-09-20T20:42:41Z
Modified: 2021-09-24T13:07:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f2c5-997w-7f5c/GHSA-f2c5-997w-7f5c.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-f2c5-997w-7f5c
Finding: F425
Auto approve: 1