CVE-2024-37160: Cross-site scripting (XSS) vulnerability in Description metadata
(updated )
Regardless of the role or privileges, no user should be able to inject malicious JavaScript (JS) scripts into the body HTML. an XSS (Cross-Site Scripting) vulnerability, specifically a Stored XSS, which affects all pages of the website. Once the JS script is embedded in the body HTML, the XSS will trigger on any page a victim visits, such as the about, blog, contact, or any other pages, except for the panel.
References
- github.com/advisories/GHSA-5pxr-7m4j-jjc6
- github.com/getformwork/formwork
- github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b
- github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5
- github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6
- nvd.nist.gov/vuln/detail/CVE-2024-37160
Code Behaviors & Features
Detect and mitigate CVE-2024-37160 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →