PT-2018-11016 · Airbnb · Airbnb Knowledge Repo

Ekzorcisto

Published

2018-06-17

Updated

2022-05-14

CVE-2018-12104

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Airbnb Knowledge Repo versions 0.7.4 through 0.8.x Airbnb Knowledge Repo versions prior to 0.9.0

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the "post/posts/new report.kp" URI. This could potentially affect a significant number of devices, but the exact number is not specified.

Recommendations For Airbnb Knowledge Repo versions 0.7.4 through 0.8.x, update to version 0.9.0 or later. For Airbnb Knowledge Repo versions prior to 0.9.0, update to version 0.9.0 or later. As a temporary workaround, consider restricting access to the post comments functionality until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-12104

GHSA-XMW7-848P-P95W

PYSEC-2018-116

Affected Products

Airbnb Knowledge Repo

PT-2018-11016 · Airbnb · Airbnb Knowledge Repo

CVE-2018-12104

Weakness Enumeration

Related Identifiers

Affected Products

References · 13