PT-2017-13910 · Shaarli · Shaarli

Chb9

Published

2017-10-10

Updated

2017-10-27

CVE-2017-15215

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Shaarli version 0.9.1

Description The issue allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to "index.php". If the victim is an administrator, an attacker can take over the admin session, change global settings, or add/delete links. It is also possible to execute JavaScript against unauthenticated users.

Recommendations For Shaarli version 0.9.1, consider restricting access to the "index.php" endpoint or avoiding the use of the searchtags parameter until a fix is available. As a temporary workaround, restrict the ability to inject JavaScript code to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-15215

Affected Products

Shaarli

PT-2017-13910 · Shaarli · Shaarli

CVE-2017-15215

Weakness Enumeration

Related Identifiers

Affected Products

References · 5