Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37272: XSS vulnerability in JOC Cockpit branch 1.13

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.

CVE
Open in Source
#xss#vulnerability#js

Impact

Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser.

Risk Mitigation: Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0.

Patches

The vulnerability is resolved with release 1.13.19.

Workarounds

Modify an existing jetty-rewrite.xml file as indicated from the below reference.
Consider instructions available from the below references that apply to releases 1.13.11 throughout 1.13.18.

References

https://change.sos-berlin.com/browse/SET-226

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE