admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#7967

Browse Source 
Auto-merge PR#7967
This commit is contained in:
CVE Team 2022-11-09 15:20:13 -05:00 committed by GitHub
commit 2ddddc0583
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
2022/39xxx/CVE-2022-39390.json
View File

@ -1,91 +1,18 @@
{
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39390",
"STATE": "PUBLIC",
"TITLE": "User-supplied images can inject executable JavaScript"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octocat.js",
"version": {
"version_data": [
{
"version_value": "< 1.2"
}
]
}
}
]
},
"vendor_name": "octocademy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2022-39390",
"ASSIGNER": "security-advisories@github.com",
"STATE": "REJECT"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "Octocat.js is a library used to render a set of options into an SVG. Versions prior to 1.2 are subject to JavaScript injection via user provided URLs. Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. This vulnerability was fixed in version 1.2 of octocat.js. As a workaround, writing an image to disk then using that image in an image element in HTML mitigates the risk."
"value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-36534. Reason: This candidate is a reservation duplicate of CVE-2020-36534. Notes: All CVE users should reference CVE-2020-36534 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code ('Code Injection')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octocademy/octocat.js/security/advisories/GHSA-r4jg-5v89-9v62",
"refsource": "CONFIRM",
"url": "https://github.com/octocademy/octocat.js/security/advisories/GHSA-r4jg-5v89-9v62"
}
]
},
"source": {
"advisory": "GHSA-r4jg-5v89-9v62",
"discovery": "UNKNOWN"
}
}
}