Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26042: HTML/XSS Injection Possibilities in Part-DB 1.0.0 and 1.0.1

Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.

CVE
Open in Source
#xss#vulnerability#java#perl

Impact

On various locations, user input was not properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. However, as the Content-Security-Policy forbids inline scripts and external scripts, it is not possible (or only in combination with other vulnerabilities) to execute JavaScript code.

Patches

Upgrade to Part-DB 1.0.2 or later for a fixed version.

Workarounds

There is no possibility to prevent this completely without upgrading. You should not click links to Part-DB given by untrusted users and only trusted users should have edit access to reduce the risk.

References

See this PR and the commits between v1.0.1 … v1.0.2 which was affected exactly.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE