CVE-2023-6720

An XSS vulnerability stored in Repox has been identified, which allows a local attacker to store a specially crafted JavaScript payload on the server, due to the lack of proper sanitisation of field elements, allowing the attacker to trigger the malicious payload when the application loads.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:europeana:repox:2.3.7:*:*:*:*:*:*:*

History

18 Dec 2023, 17:45

Type	Values Removed	Values Added
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:europeana:repox:2.3.7:::::::*

13 Dec 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-13 10:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-6720

Mitre link : CVE-2023-6720

CVE.ORG link : CVE-2023-6720

JSON object : View

Products Affected

europeana

repox

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-6720", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.1}]}, "published": "2023-12-13T10:15:11.403", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability stored in Repox has been identified, which allows a local attacker to store a specially crafted JavaScript payload on the server, due to the lack of proper sanitisation of field elements, allowing the attacker to trigger the malicious payload when the application loads."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad XSS almacenada en Repox, que permite a un atacante local almacenar un payload de JavaScript especialmente manipulado en el servidor, debido a la falta de una sanitizaci\u00f3n adecuada de los elementos de campo, lo que permite al atacante activar el payload malicioso cuando se carga la aplicaci\u00f3n."}], "lastModified": "2023-12-18T17:45:01.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:europeana:repox:2.3.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA4CFB07-33A3-44FB-A484-9C23CD4AA5B3"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}