Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/680211?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/680211?format=api", "purl": "pkg:pypi/malojaserver@2.7.7", "type": "pypi", "namespace": "", "name": "malojaserver", "version": "2.7.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.2.2", "latest_non_vulnerable_version": "3.2.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360948?format=api", "vulnerability_id": "VCID-qy7p-b6z5-q3fy", "summary": "Maloja error page XSS vulnerability\n### Impact\nThe error page for a missing path echoes the path back to the user. If this contains HTML, an attacker could execute a script on the user's machine inside the Maloja context and perform authorized actions like scrobbling or deleting scrobbles.\nThis does not affect the security of your server. The exploit is purely client-side.\nSince there is very little incentive to mess with your scrobble data and it requires very specific targeting (an attacker would have to send a user a link to their own server), the severity rating might be misleading.\n\n### Patches\nThe Vulnerability is patched in 3.2.2", "references": [ { "reference_url": "https://github.com/krateng/maloja", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/krateng/maloja" }, { "reference_url": "https://github.com/krateng/maloja/commit/febaff97228b37a192f2630aa331cac5e5c3e98e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/krateng/maloja/commit/febaff97228b37a192f2630aa331cac5e5c3e98e" }, { "reference_url": "https://github.com/krateng/maloja/security/advisories/GHSA-4h72-34j6-j8x7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/krateng/maloja/security/advisories/GHSA-4h72-34j6-j8x7" }, { "reference_url": "https://github.com/advisories/GHSA-4h72-34j6-j8x7", "reference_id": "GHSA-4h72-34j6-j8x7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h72-34j6-j8x7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380319?format=api", "purl": "pkg:pypi/malojaserver@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/malojaserver@3.2.2" } ], "aliases": [ "GHSA-4h72-34j6-j8x7", "GMS-2023-6515" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qy7p-b6z5-q3fy" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/malojaserver@2.7.7" }