admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-07 19:17:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#5757

Browse Source 
Auto-merge PR#5757
This commit is contained in:
CVE Team 2022-05-18 16:30:19 -04:00 committed by GitHub
commit f4a9649d5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2022/29xxx/CVE-2022-29230.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29230",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Potential cross-site scripting (XSS) vulnerability in Hydrogen"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hydrogen",
"version": {
"version_data": [
{
"version_value": ">= 0.10.0, <= 0.18.0"
}
]
}
}
]
},
"vendor_name": "Shopify"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability. "
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f",
"refsource": "CONFIRM",
"url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"
},
{
"name": "https://github.com/Shopify/hydrogen/pull/1272",
"refsource": "MISC",
"url": "https://github.com/Shopify/hydrogen/pull/1272"
},
{
"name": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0",
"refsource": "MISC",
"url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"
}
]
},
"source": {
"advisory": "GHSA-6j22-wv8g-894f",
"discovery": "UNKNOWN"
}
}