CVE-2024-36109
7.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Summary
CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows <script> tags to be included which execute when published. This issue has been addressed in commit 419862a9c9879c. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sagemathinc | cocalc | < 419862a9c9879c | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://github.com/sagemathinc/cocalc/security/advisories/GHSA-8w44-hggw-p5rf
- https://github.com/sagemathinc/cocalc/commit/419862a9c9879c
References
- https://github.com/sagemathinc/cocalc/security/advisories/GHSA-8w44-hggw-p5rf
- https://github.com/sagemathinc/cocalc/commit/419862a9c9879c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.