Plattform
other
Komponente
oxidized-web
CVE-2019-25088 describes a problematic cross-site scripting (XSS) vulnerability discovered in Oxidized Web. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. The vulnerability affects versions prior to patch 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45, and a patch is available to address the issue.
Successful exploitation of CVE-2019-25088 allows an attacker to inject arbitrary JavaScript code into the Oxidized Web application. This can lead to various malicious outcomes, including session hijacking, defacement of the web interface, and theft of sensitive user data. The attacker can trigger the XSS vulnerability by manipulating the 'toresearch' argument, likely within the 'confsearch.haml' view. While the CVSS score is LOW, the potential for user compromise and data theft warrants immediate attention and remediation.
CVE-2019-25088 was published in 2022, indicating a delayed disclosure. There is no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that such exploits could be developed. The LOW CVSS score suggests a relatively low probability of exploitation in the wild.
Organizations utilizing Oxidized Web, particularly those with custom configurations or integrations, are at risk. Systems with older, unpatched versions of Oxidized Web are especially vulnerable. Shared hosting environments where multiple users share the same Oxidized Web instance could also be affected, as an attacker could potentially compromise other users' accounts.
disclosure
Exploit-Status
EPSS
0.32% (55% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-25088 is to apply the provided patch: 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45. This patch directly addresses the vulnerability by sanitizing the 'toresearch' argument. If applying the patch immediately is not feasible, consider implementing input validation and output encoding on the 'toresearch' parameter to prevent malicious script injection. After applying the patch, verify the fix by attempting to inject a simple JavaScript payload through the 'conf_search' functionality and confirming that it is properly sanitized.
Actualice la gema oxidized-web a la versión que incluye la corrección del XSS. Consulte el repositorio de oxidized-web en GitHub para obtener más detalles sobre la actualización y el parche específico (55ab9bdc68b03ebce9280b8746ef31d7fdedcc45).
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-25088 is a cross-site scripting (XSS) vulnerability in Oxidized Web, allowing attackers to inject malicious scripts. It affects versions before patch 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45.
You are affected if you are running a version of Oxidized Web prior to the patch 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45. Upgrade to the patched version immediately.
Apply the patch 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45. If immediate patching isn't possible, implement input validation and output encoding.
There is no current evidence of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to VDB-216870 for details on this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.