CVE-2022-43996

Name of the Vulnerable Software and Affected Versions csaf provider versions prior to 0.8.2

Description The issue allows for Cross-site Scripting (XSS) via a crafted CSAF document uploaded as text/html. The "upload" endpoint allows valid CSAF advisories in JSON format to be uploaded with Content-Type text/html and filenames ending in .html. When accessed via a web browser, these advisories are served and interpreted as HTML pages, allowing uploaded advisories to contain JavaScript code that executes within the browser context of users inspecting the advisory.

Recommendations For versions prior to 0.8.2, update to version 0.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "upload" endpoint to minimize the risk of exploitation. Avoid using the endpoint to upload CSAF advisories with Content-Type text/html until the issue is resolved.