Search criteria

1 vulnerability by goharbor

CVE-2025-32019 (GCVE-0-2025-32019)

Vulnerability from cvelistv5 – Published: 2025-07-23 20:38 – Updated: 2025-07-23 20:47
VLAI?
Title
Harbor's repository description page allows for XSS
Summary
Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
Severity ?
4.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
goharbor harbor Affected: >= 2.12.0-rc1, < 2.12.4-rc1
Affected: >= 2.13.0-rc1, < 2.13.1-rc1
Affected: <= 2.4.0-rc1.1, < 2.11.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32019",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-23T20:47:38.788563Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T20:47:47.745Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "harbor",
          "vendor": "goharbor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-rc1, \u003c 2.12.4-rc1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.13.0-rc1, \u003c 2.13.1-rc1"
            },
            {
              "status": "affected",
              "version": "\u003c= 2.4.0-rc1.1, \u003c 2.11.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-23T20:38:10.966Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5"
        }
      ],
      "source": {
        "advisory": "GHSA-f9vc-vf3r-pqqq",
        "discovery": "UNKNOWN"
      },
      "title": "Harbor\u0027s repository description page allows for XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32019",
    "datePublished": "2025-07-23T20:38:10.966Z",
    "dateReserved": "2025-04-01T21:57:32.954Z",
    "dateUpdated": "2025-07-23T20:47:47.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}