CVE-2023-40024

Name of the Vulnerable Software and Affected Versions ScanCode.io versions prior to 32.5.2

Description The issue arises from inadequate validation and sanitization of the key parameter in the /license/ endpoint, specifically in the license details view function. This can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the license details view function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information.

Recommendations To resolve the issue, upgrade to release 32.5.2 or later. As a temporary workaround, consider restricting access to the /license/ endpoint or disabling the license details view function until a patch is available. Avoid using malicious javascript in the key parameter to minimize the risk of exploitation.