CVE-2022-2514
8
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| beancount | beancount/fava | unspecified < 1.22 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
- https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
References
- https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
- https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.