Vulnerability Details : CVE-2022-31136
Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-31136
- cpe:2.3:a:joinbookwyrm:bookwyrm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31136
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31136
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
|
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-31136
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31136
-
https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-2cfh-v7rf-pxfp
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in BookWyrm · Advisory · bookwyrm-social/bookwyrm · GitHubThird Party Advisory
-
https://github.com/bookwyrm-social/bookwyrm/commit/fe33fdcf564a6a5667aef75d5456bea08feab50d
Merge pull request #2173 from bookwyrm-social/html-sanitizer · bookwyrm-social/bookwyrm@fe33fdc · GitHubPatch;Third Party Advisory
Jump to