jhpyle docassemble up to 1.4.96 user name cross site scripting

Summaryinfo

A vulnerability was found in jhpyle docassemble up to 1.4.96. It has been classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument user name leads to cross site scripting. This vulnerability is referenced as CVE-2024-27290. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in jhpyle docassemble up to 1.4.96. It has been rated as problematic. This issue affects an unknown code block. The manipulation of the argument user name with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:

Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.

The weakness was published 03/01/2024 as GHSA-pcfx-g2j2-f6f6. The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-27290 since 02/22/2024. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading to version 1.4.97 eliminates this vulnerability. Applying the patch 4801ac7ff7c90df00ac09523077930cdb6dea2aa is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• jhpyle

Name

• docassemble

Version

• 1.4.0
• 1.4.1
• 1.4.2
• 1.4.3
• 1.4.4
• 1.4.5
• 1.4.6
• 1.4.7
• 1.4.8
• 1.4.9
• 1.4.10
• 1.4.11
• 1.4.12
• 1.4.13
• 1.4.14
• 1.4.15
• 1.4.16
• 1.4.17
• 1.4.18
• 1.4.19
• 1.4.20
• 1.4.21
• 1.4.22
• 1.4.23
• 1.4.24
• 1.4.25
• 1.4.26
• 1.4.27
• 1.4.28
• 1.4.29
• 1.4.30
• 1.4.31
• 1.4.32
• 1.4.33
• 1.4.34
• 1.4.35
• 1.4.36
• 1.4.37
• 1.4.38
• 1.4.39
• 1.4.40
• 1.4.41
• 1.4.42
• 1.4.43
• 1.4.44
• 1.4.45
• 1.4.46
• 1.4.47
• 1.4.48
• 1.4.49
• 1.4.50
• 1.4.51
• 1.4.52
• 1.4.53
• 1.4.54
• 1.4.55
• 1.4.56
• 1.4.57
• 1.4.58
• 1.4.59
• 1.4.60
• 1.4.61
• 1.4.62
• 1.4.63
• 1.4.64
• 1.4.65
• 1.4.66
• 1.4.67
• 1.4.68
• 1.4.69
• 1.4.70
• 1.4.71
• 1.4.72
• 1.4.73
• 1.4.74
• 1.4.75
• 1.4.76
• 1.4.77
• 1.4.78
• 1.4.79
• 1.4.80
• 1.4.81
• 1.4.82
• 1.4.83
• 1.4.84
• 1.4.85
• 1.4.86
• 1.4.87
• 1.4.88
• 1.4.89
• 1.4.90
• 1.4.91
• 1.4.92
• 1.4.93
• 1.4.94
• 1.4.95
• 1.4.96

License

• open-source

Website

• Product: https://github.com/jhpyle/docassemble/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion