4.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
29 packages
- cmctl
- scmccid
- adguardian
- pcmciaUtils
- pcmciautils
- rocmPackages.clang
- haskellPackages.mcmc
- rocmPackages_6.clang
- rocmPackages.llvm.clang
- rocmPackages.llvm.rocmcxx
- rocmPackages_6.llvm.clang
- haskellPackages.mcmc-types
- rocmPackages_6.llvm.rocmcxx
- python312Packages.aioguardian
- python313Packages.aioguardian
- python314Packages.aioguardian
- python312Packages.pygitguardian
- python313Packages.pygitguardian
- python314Packages.pygitguardian
- python312Packages.django-guardian
- python313Packages.django-guardian
- python314Packages.django-guardian
- home-assistant-component-tests.guardian
- tests.home-assistant-component-tests.guardian
- python312Packages.djangorestframework-guardian
- python313Packages.djangorestframework-guardian
- python314Packages.djangorestframework-guardian
- python312Packages.djangorestframework-guardian2
- python313Packages.djangorestframework-guardian2
- @LeSuisse dismissed
HTML injection in Alerted Nodes Dashboard in Guardian/CMC before 25.6.0
A Stored HTML Injection vulnerability was discovered in the Alerted Nodes Dashboard functionality due to improper validation on an input parameter. A malicious authenticated user with the required privileges could edit a node label to inject HTML tags. If the system is configured to use the Alerted Nodes Dashboard, and alerts are reported for the affected node, then the injected HTML may render in the browser of a victim user interacting with it, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration.
Affected products
- <25.6.0
- <25.6.0
Ignored packages (29)
pkgs.cmctl
Command line utility to interact with a cert-manager instalation on Kubernetes
pkgs.scmccid
PCSC drivers for linux, for the SCM SCR3310 v2.0 card and others
pkgs.adguardian
Terminal-based, real-time traffic monitoring and statistics for your AdGuard Home instance
pkgs.pcmciaUtils
None
pkgs.pcmciautils
None
pkgs.rocmPackages.clang
None
pkgs.haskellPackages.mcmc
Sample from a posterior using Markov chain Monte Carlo
pkgs.rocmPackages_6.clang
None
pkgs.rocmPackages.llvm.clang
None
pkgs.rocmPackages.llvm.rocmcxx
None
pkgs.rocmPackages_6.llvm.clang
None
pkgs.haskellPackages.mcmc-types
Common types for sampling
pkgs.rocmPackages_6.llvm.rocmcxx
None
pkgs.python312Packages.aioguardian
Python library to interact with Elexa Guardian devices
pkgs.python313Packages.aioguardian
Python library to interact with Elexa Guardian devices
pkgs.python314Packages.aioguardian
Python library to interact with Elexa Guardian devices
pkgs.python312Packages.pygitguardian
Library to access the GitGuardian API
pkgs.python313Packages.pygitguardian
Library to access the GitGuardian API
pkgs.python314Packages.pygitguardian
Library to access the GitGuardian API
pkgs.python312Packages.django-guardian
Per object permissions for Django
pkgs.python313Packages.django-guardian
Per object permissions for Django
pkgs.python314Packages.django-guardian
Per object permissions for Django
pkgs.home-assistant-component-tests.guardian
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.guardian
Open source home automation that puts local control and privacy first
pkgs.python312Packages.djangorestframework-guardian
Django-guardian support for Django REST Framework
pkgs.python313Packages.djangorestframework-guardian
Django-guardian support for Django REST Framework
pkgs.python314Packages.djangorestframework-guardian
Django-guardian support for Django REST Framework
pkgs.python312Packages.djangorestframework-guardian2
Django-guardian support for Django REST Framework
pkgs.python313Packages.djangorestframework-guardian2
Django-guardian support for Django REST Framework