CVE-2023-31285 – serenity.net.core

Package

Manager: nuget
Name: serenity.net.core
Vulnerable Version: >=0 <6.7.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00714 pctl0.71473

Details

Cross Site Scripting (XSS) in Serenity An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user.

Metadata

Created: 2023-04-27T03:30:23Z
Modified: 2023-05-05T20:33:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-93h6-wx7r-mgfp/GHSA-93h6-wx7r-mgfp.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-93h6-wx7r-mgfp
Finding: F425
Auto approve: 1