YAFNET 直到3.1.10 Private Message PostPrivateMessage subject/message 跨网站脚本

分类为棘手的漏洞已在YAFNET 直到3.1.10中发现。 此漏洞会影响某些未知进程文件/forum/PostPrivateMessage的组件Private Message Handler。 手动调试的软件参数:subject/message不合法输入可导致 跨网站脚本。 漏洞的CWE定义是 CWE-79。 此漏洞的脆弱性 2023-01-27由公示人Chun-Li Lin、公示人所属公司CHT Security Co., Ltd.、公示人身份2237a9d552e258a43570bb478a92a5505e7c8797、所公布。 分享公告的网址是drive.google.com。 该漏洞被标识为CVE-2023-0549, 可以发起远程攻击, 有技术细节可用。 此外还有一个漏洞可利用。 该漏洞利用已公开,可能会被利用。 当前漏洞利用价值为美元大约是 $0-$5k。 MITRE ATT&CK项目使用攻击技术T1059.007来解决该问题。 它被宣布为proof-of-concept。 以下网址提供该漏洞利用:drive.google.com。 我们估计的零日攻击价值约为$0-$5k。 升级到版本3.1.11能够解决此问题。 更新版本下载地址为 github.com。 补丁名称为2237a9d552e258a43570bb478a92a5505e7c8797。 错误修复程序下载地址为github.com, 建议对受到影响的组件升级。 该漏洞被披露后,此前未曾发表过可能的缓解措施。

时间轴

用户

148
3930114

字段

vulnerability_cvss3_meta_tempscore3
vulnerability_cvss3_meta_basescore3
software_version2
advisory_company_name2
vulnerability_cvss3_cna_basescore1

Commit Conf

90%45
70%18
100%14
50%9

Approve Conf

90%59
70%18
80%9
ID已提交用户字段更改备注已接受地位C
137228502023-02-23VulD...cvss3_cna_basescore3.5see CVSS documentation2023-02-23已接受
90
137228492023-02-23VulD...cvss2_nvd_basescore4.0nist.gov2023-02-23已接受
90
137228482023-02-23VulD...cvss3_meta_tempscore4.0see CVSS documentation2023-02-23已接受
90
137228472023-02-23VulD...cvss3_meta_basescore4.1see CVSS documentation2023-02-23已接受
90
137228462023-02-23VulD...cve_cnaVulDBnvd.nist.gov2023-02-23已接受
70
137228452023-02-23VulD...cvss3_cna_aNnvd.nist.gov2023-02-23已接受
70
137228442023-02-23VulD...cvss3_cna_iLnvd.nist.gov2023-02-23已接受
70
137228432023-02-23VulD...cvss3_cna_cNnvd.nist.gov2023-02-23已接受
70
137228422023-02-23VulD...cvss3_cna_sUnvd.nist.gov2023-02-23已接受
70
137228412023-02-23VulD...cvss3_cna_uiRnvd.nist.gov2023-02-23已接受
70
137228402023-02-23VulD...cvss3_cna_prLnvd.nist.gov2023-02-23已接受
70
137228392023-02-23VulD...cvss3_cna_acLnvd.nist.gov2023-02-23已接受
70
137228382023-02-23VulD...cvss3_cna_avNnvd.nist.gov2023-02-23已接受
70
137228372023-02-23VulD...cvss2_nvd_aiNnvd.nist.gov2023-02-23已接受
70
137228362023-02-23VulD...cvss2_nvd_iiPnvd.nist.gov2023-02-23已接受
70
137228352023-02-23VulD...cvss2_nvd_ciNnvd.nist.gov2023-02-23已接受
70
137228342023-02-23VulD...cvss2_nvd_auSnvd.nist.gov2023-02-23已接受
70
137228332023-02-23VulD...cvss2_nvd_acLnvd.nist.gov2023-02-23已接受
70
137228322023-02-23VulD...cvss2_nvd_avNnvd.nist.gov2023-02-23已接受
70
137228312023-02-23VulD...cve_nvd_summaryA vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.11 is able to address this issue. The name of the patch is 2237a9d552e258a43570bb478a92a5505e7c8797. It is recommended to upgrade the affected component. The identifier VDB-219665 was assigned to this vulnerability.cve.mitre.org2023-02-23已接受
70

66 更多条目未显示

🔒 Login Required

You need to signup and login to see more of the remaining 66 results.

上一步一览下一步

Want to stay up to date on a daily basis?

Enable the mail alert feature now!