GHSA-XR7P-8Q82-878Q

Vulnerability from github – Published: 2022-12-06 15:36 – Updated: 2025-07-08 19:39
VLAI?
Summary
teler dashboard vulnerable to DOM-based cross-site scripting (XSS)
Details

Description

teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.

Impact

This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.

Affected Version

This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.

Patches

This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.

Workarounds

Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to v2.0.0-rc.4 or v2.0.0-dev.2 & above.

References

  • https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e
Severity ?
3.1 (Low)
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-rc.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc"
            },
            {
              "fixed": "2.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-dev"
            },
            {
              "fixed": "2.0.0-dev.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0.0-dev"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20220625162531-2289e90590a9"
            },
            {
              "fixed": "0.0.0-20221203202318-20f59eda2420"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.3-0.20220625162531-2289e90590a9"
            },
            {
              "fixed": "1.2.3-0.20221203202318-20f59eda2420"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T15:36:15Z",
    "nvd_published_at": "2022-12-06T18:15:00Z",
    "severity": "LOW"
  },
  "details": "### Description\n\nteler prior to version \u003c= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized.\n\n### Impact\n\nThis only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.\n\n### Affected Version\n\nThis issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` \u0026 `v2.0.0-dev`.\n\n### Patches\n\nThis vulnerability has been fixed on version `v2.0.0-rc.4` \u0026 `v2.0.0-dev.2`.\n\n### Workarounds\n\nHere are some workarounds to handle this case:\n- Deactivate the live event dashboard from the configuration file, or\n- Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` \u0026 above.\n\n### References\n\n- https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
  "id": "GHSA-xr7p-8q82-878q",
  "modified": "2025-07-08T19:39:18Z",
  "published": "2022-12-06T15:36:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kitabisa/teler"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "teler dashboard vulnerable to DOM-based cross-site scripting (XSS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.