CVE-2019-25075: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

August 24, 2022 (updated August 30, 2022)

HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.

References

github.com/advisories/GHSA-xc4w-28g8-vqm5
github.com/gravitee-io/gravitee-api-management
medium.com/@maxime.escourbiac/write-up-of-path-traversal-on-gravitee-io-8835941be69f
nvd.nist.gov/vuln/detail/CVE-2019-25075

Code Behaviors & Features

Detect and mitigate CVE-2019-25075 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →