Search criteria
6 vulnerabilities found for beancount/fava by beancount
CVE-2022-2589 (GCVE-0-2022-2589)
Vulnerability from cvelistv5 – Published: 2022-08-01 14:12 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:12:23",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
],
"source": {
"advisory": "8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2589",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22.3"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"name": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
]
},
"source": {
"advisory": "8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2589",
"datePublished": "2022-08-01T14:12:23",
"dateReserved": "2022-07-30T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2523 (GCVE-0-2022-2523)
Vulnerability from cvelistv5 – Published: 2022-07-25 13:43 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T13:43:39",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
],
"source": {
"advisory": "2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2523",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22.2"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"name": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
]
},
"source": {
"advisory": "2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2523",
"datePublished": "2022-07-25T13:43:39",
"dateReserved": "2022-07-23T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2514 (GCVE-0-2022-2514)
Vulnerability from cvelistv5 – Published: 2022-07-25 13:42 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T13:42:34",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
],
"source": {
"advisory": "dbf77139-4384-4dc5-9994-45a5e0747429",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2514",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"name": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
]
},
"source": {
"advisory": "dbf77139-4384-4dc5-9994-45a5e0747429",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2514",
"datePublished": "2022-07-25T13:42:34",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2589 (GCVE-0-2022-2589)
Vulnerability from nvd – Published: 2022-08-01 14:12 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:12:23",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
],
"source": {
"advisory": "8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2589",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22.3"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08"
},
{
"name": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539"
}
]
},
"source": {
"advisory": "8705800d-cf2f-433d-9c3e-dbef6a3f7e08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2589",
"datePublished": "2022-08-01T14:12:23",
"dateReserved": "2022-07-30T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2523 (GCVE-0-2022-2523)
Vulnerability from nvd – Published: 2022-07-25 13:43 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T13:43:39",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
],
"source": {
"advisory": "2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2523",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22.2"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f"
},
{
"name": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b"
}
]
},
"source": {
"advisory": "2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2523",
"datePublished": "2022-07-25T13:43:39",
"dateReserved": "2022-07-23T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2514 (GCVE-0-2022-2514)
Vulnerability from nvd – Published: 2022-07-25 13:42 – Updated: 2024-08-03 00:39
VLAI?
Title
Cross-site Scripting (XSS) - Reflected in beancount/fava
Summary
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beancount | beancount/fava |
Affected:
unspecified , < 1.22
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "beancount/fava",
"vendor": "beancount",
"versions": [
{
"lessThan": "1.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T13:42:34",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
],
"source": {
"advisory": "dbf77139-4384-4dc5-9994-45a5e0747429",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in beancount/fava",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2514",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in beancount/fava"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "beancount/fava",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.22"
}
]
}
}
]
},
"vendor_name": "beancount"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429"
},
{
"name": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711",
"refsource": "MISC",
"url": "https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711"
}
]
},
"source": {
"advisory": "dbf77139-4384-4dc5-9994-45a5e0747429",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2514",
"datePublished": "2022-07-25T13:42:34",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}