CVE-2023-30094: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 4, 2023 (updated May 5, 2023)

A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the settings module.

References

github.com/advisories/GHSA-jj45-24rw-v6jw
github.com/totaljs/flow/issues/100
github.com/totaljs/framework4/commit/e2cea690c3fe4453e94da896a69f832511f65179
nvd.nist.gov/vuln/detail/CVE-2023-30094
www.edoardoottavianelli.it/CVE-2023-30094/

Code Behaviors & Features

Detect and mitigate CVE-2023-30094 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →