Vulnerability Details : CVE-2019-13122
A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-13122
- cpe:2.3:a:ozlabs:patchwork:*:*:*:*:*:*:*:*
- cpe:2.3:a:ozlabs:patchwork:*:*:*:*:*:*:*:*
- cpe:2.3:a:ozlabs:patchwork:2.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:ozlabs:patchwork:2.1.0:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13122
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13122
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-13122
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13122
-
https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.html
The Patchwork July 2019 Archive by dateVendor Advisory
-
https://github.com/getpatchwork/patchwork/releases
Releases · getpatchwork/patchwork · GitHubRelease Notes;Third Party Advisory
-
http://jk.ozlabs.org/projects/patchwork/
patchworkVendor Advisory
-
https://github.com/getpatchwork/patchwork/commits/master
Commits · getpatchwork/patchwork · GitHubThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/07/05/1
oss-security - CVE-2019-13122: Patchwork: XSS via Message-IDMailing List;Third Party Advisory
-
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.html
[PATCH] docs: Add a release note for CVE-2019-13122Mailing List;Vendor Advisory
-
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html
[PATCH 0/2] XSS in Patchwork - CVE-2019-13122Mailing List;Vendor Advisory
Jump to