Skip to main content

Opencats CVE-2023-27294

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-02-28 vulnreport@tenable.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 28, 2023 - 17:15 nvd
MEDIUM 5.4

DescriptionNVD

Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar event, which would then be executed in other users' browsers if they browse to that event. This could result in stealing session tokens from users with higher permission levels or forcing users to make actions without their knowledge.

AnalysisAI

Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar event, which would then be executed in other users' browsers if they browse to that event. This could result in stealing session tokens from users with higher permission levels or forcing users to make actions without their knowledge. Affected products include: Opencats.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-43019 CRITICAL POC
9.8 Oct 19

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax fu

CVE-2021-41560 CRITICAL POC
9.8 Dec 15

OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUti

CVE-2021-25294 CRITICAL POC
9.8 Jan 18

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated cr

CVE-2026-27760 CRITICAL POC
9.2 Apr 28

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by

CVE-2019-13358 HIGH POC
7.5 Jul 05

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying opera

CVE-2022-43023 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerr

CVE-2022-43022 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion func

CVE-2022-43021 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. Rated medium se

CVE-2022-43020 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update functi

CVE-2023-27293 MEDIUM POC
6.1 Feb 28

Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javas

CVE-2022-43018 MEDIUM POC
6.1 Oct 19

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter i

CVE-2022-43017 MEDIUM POC
6.1 Oct 19

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile compone

Share

CVE-2023-27294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy