Headline
CVE-2023-29015: escape comment text; fixes #24585 · intranda/goobi-viewer-core@f0ccde2
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user’s browser when displaying the comment. The vulnerability has been fixed in version 23.03.
@@ -51,7 +51,9 @@
<!-- COMMENT METADATA -->
<div class="user-comments__comment-metadata">
<span class="user-comments__comment-metadata-creator">#{comment.creator.displayNameEscaped}</span>
<span class="user-comments__comment-metadata-creator">
#{comment.creator.displayNameEscaped}
</span>
<span class="user-comments__comment-metadata-date">#{navigationHelper.getLocalDate(comment.dateCreated)}</span>
</div>
@@ -77,7 +79,8 @@
<!-- COMMENT TEXT -->
<div class="user-comments__comment-content-text in">
#{comment.displayText}</div>
<h:outputText value="#{comment.displayText}" escape="true" />
</div>
<!-- EDIT COMMENT -->
<ui:fragment
Related news
### Impact A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. ### Patches The vulnerability has been fixed in version 23.03 If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])