Search criteria
2 vulnerabilities found for harbor by goharbor
CVE-2025-32019 (GCVE-0-2025-32019)
Vulnerability from cvelistv5 – Published: 2025-07-23 20:38 – Updated: 2025-07-23 20:47
VLAI?
Title
Harbor's repository description page allows for XSS
Summary
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
Severity ?
4.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T20:47:38.788563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:47:47.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "harbor",
"vendor": "goharbor",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.12.0-rc1, \u003c 2.12.4-rc1"
},
{
"status": "affected",
"version": "\u003e= 2.13.0-rc1, \u003c 2.13.1-rc1"
},
{
"status": "affected",
"version": "\u003c= 2.4.0-rc1.1, \u003c 2.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:38:10.966Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq"
},
{
"name": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058"
},
{
"name": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088"
},
{
"name": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5"
}
],
"source": {
"advisory": "GHSA-f9vc-vf3r-pqqq",
"discovery": "UNKNOWN"
},
"title": "Harbor\u0027s repository description page allows for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32019",
"datePublished": "2025-07-23T20:38:10.966Z",
"dateReserved": "2025-04-01T21:57:32.954Z",
"dateUpdated": "2025-07-23T20:47:47.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32019 (GCVE-0-2025-32019)
Vulnerability from nvd – Published: 2025-07-23 20:38 – Updated: 2025-07-23 20:47
VLAI?
Title
Harbor's repository description page allows for XSS
Summary
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
Severity ?
4.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T20:47:38.788563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:47:47.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "harbor",
"vendor": "goharbor",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.12.0-rc1, \u003c 2.12.4-rc1"
},
{
"status": "affected",
"version": "\u003e= 2.13.0-rc1, \u003c 2.13.1-rc1"
},
{
"status": "affected",
"version": "\u003c= 2.4.0-rc1.1, \u003c 2.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T20:38:10.966Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq"
},
{
"name": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058"
},
{
"name": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088"
},
{
"name": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5"
}
],
"source": {
"advisory": "GHSA-f9vc-vf3r-pqqq",
"discovery": "UNKNOWN"
},
"title": "Harbor\u0027s repository description page allows for XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32019",
"datePublished": "2025-07-23T20:38:10.966Z",
"dateReserved": "2025-04-01T21:57:32.954Z",
"dateUpdated": "2025-07-23T20:47:47.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}