Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-esma-wxje-eqh3

Summary

Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.

> [!NOTE]
> This is a separate vulnerability from the previously reported "[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)" and "[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)". This affects a different sink: the individual user's permissions page.

Aliases

alias	GHSA-g3hp-vvqf-8vw6

Fixed_packages

url pkg:composer/craftcms/cms@5.8.22

purl pkg:composer/craftcms/cms@5.8.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-39ct-cg7w-kyb6

vulnerability	VCID-5q5g-jrxm-eyhe

vulnerability	VCID-a3b5-pwyh-yugv

vulnerability	VCID-fpea-e48p-kfbn

vulnerability	VCID-hkp9-3hzv-quhk

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22

Affected_packages

url pkg:composer/craftcms/cms@5.0.0-RC1

purl pkg:composer/craftcms/cms@5.0.0-RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1468-4fdx-kbfr

vulnerability	VCID-1mb5-28xp-ckd2

vulnerability	VCID-39ct-cg7w-kyb6

vulnerability	VCID-4wkr-jx1w-77hn

vulnerability	VCID-5cxe-tjpb-3qan

vulnerability	VCID-5mnd-qvaq-k3am

vulnerability	VCID-5q5g-jrxm-eyhe

vulnerability	VCID-71sv-62m4-z3er

vulnerability	VCID-7y4f-ef7t-47eb

vulnerability	VCID-8u2j-17a4-q7eh

vulnerability	VCID-9enr-b6zd-mbh8

vulnerability	VCID-a3b5-pwyh-yugv

vulnerability	VCID-akrv-yqnf-1kg8

vulnerability	VCID-azr5-12f8-hfbm

vulnerability	VCID-c2nk-y4rx-1qf4

vulnerability	VCID-cys8-jnmu-77ec

vulnerability	VCID-esma-wxje-eqh3

vulnerability	VCID-fpea-e48p-kfbn

vulnerability	VCID-h6t5-pdp5-8qhe

vulnerability	VCID-hkp9-3hzv-quhk

vulnerability	VCID-hyct-5gap-7kdu

vulnerability	VCID-jeyh-3jxd-z3g6

vulnerability	VCID-jsfs-azcs-mfcm

vulnerability	VCID-jxz8-g6fq-dubw

vulnerability	VCID-kbrc-85av-nfcn

vulnerability	VCID-m5rf-usae-yfb7

vulnerability	VCID-pgm4-svq8-tfc5

vulnerability	VCID-ppet-ruae-1kav

vulnerability	VCID-qq68-3j4y-47am

vulnerability	VCID-qywv-vf4r-8bh9

vulnerability	VCID-r5hp-5nju-9ubz

vulnerability	VCID-rb7c-3nkc-gkeg

vulnerability	VCID-twuy-wzb7-k7g3

vulnerability	VCID-vasz-rnn1-67ev

vulnerability	VCID-vvhc-rnpr-ubey

vulnerability	VCID-w9yn-1573-hyau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1

url pkg:composer/craftcms/cms@5.8.21

purl pkg:composer/craftcms/cms@5.8.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9enr-b6zd-mbh8

vulnerability	VCID-cys8-jnmu-77ec

vulnerability	VCID-esma-wxje-eqh3

vulnerability	VCID-jeyh-3jxd-z3g6

vulnerability	VCID-ppet-ruae-1kav

vulnerability	VCID-twuy-wzb7-k7g3

vulnerability	VCID-vvhc-rnpr-ubey

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21

References

reference_url

https://github.com/craftcms/cms

reference_id

reference_type

scores

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/craftcms/cms

reference_url

https://github.com/craftcms/cms/releases/tag/5.8.22

reference_id

reference_type

scores

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/craftcms/cms/releases/tag/5.8.22

reference_url

https://github.com/advisories/GHSA-g3hp-vvqf-8vw6

reference_id

GHSA-g3hp-vvqf-8vw6

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g3hp-vvqf-8vw6

reference_url

https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6

reference_id

GHSA-g3hp-vvqf-8vw6

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6

Weaknesses

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 0.1 - 3

Exploitability 0.5

Weighted_severity 2.7

Risk_score 1.4

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-esma-wxje-eqh3

Vulnerability Instance