CVE-2023-37272 Vulnerability Details

  /     /     /  

CVE-2023-37272 Metadata Quick Info

CVE Published: 13/07/2023 | CVE Updated: 21/10/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: sos-berlin | Product: joc-cockpit
Status : PUBLISHED

---

CVE-2023-37272 Description

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.

Metrics

CVSS Version: 3.1 | Base Score: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-79
CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )
Source: sos-berlin

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).