Closed
Description
In GitHub Security Advisory GHSA-xxfx-w2rw-gh63, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/csaf-poc/csaf_distribution | 0.8.2 | < 0.8.2 |
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: TODO
versions:
- fixed: 0.8.2
packages:
- package: github.com/csaf-poc/csaf_distribution
description: The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF
document uploaded as text/html. The endpoint upload allows valid CSAF advisories
(JSON format) to be uploaded with Content-Type text/html and filenames ending
in .html. When subsequently accessed via web browser, these advisories are served
and interpreted as HTML pages. Such uploaded advisories can contain JavaScript
code that will execute within the browser context of users inspecting the advisory.
cves:
- CVE-2022-43996
ghsas:
- GHSA-xxfx-w2rw-gh63