Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-24065

Good to know:

icon

Date: January 28, 2023

NOSH 4a5cfdb allows stored XSS via the create user page. For example, a first name (of a physician, assistant, or billing user) can have a JavaScript payload that is executed upon visiting the /users/2/1 page. This may allow attackers to steal Protected Health Information because the product is for health charting.

Language: PHP

Severity Score

Related Resources (7)

https://github.com/shihjay2/nosh2/issues/202
https://gist.github.com/abbisQQ/e0967d5b8355087c8e224bdd1ace3bf3
https://github.com/shihjay2/nosh2/tree/4a5cfdbd73f6a2ab5ee43a33d173c46fe0271533
https://nvd.nist.gov/vuln/detail/CVE-2023-24065
https://github.com/shihjay2/docker-nosh
https://noshemr.wordpress.com
https://www.mend.io/vulnerability-database/CVE-2023-24065

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version sentry/sentry-laravel - dev-release/2.10.1;sentry/sentry-laravel - dev-3.x-tmp;sentry/sentry-laravel - 1.5.0;sentry/sentry-laravel - dev-limit-query-source;sentry/sentry-laravel - dev-feature/github-actions-migration;sentry/sentry-laravel - 2.11.0;sentry/sentry-laravel - dev-feature/redis-cache-hit-miss;sentry/sentry-laravel - dev-codecov;sentry/sentry-laravel - dev-test-command;sentry/sentry-laravel - 1.2.1;sentry/sentry-laravel - 1.0.0-beta1;sentry/sentry-laravel - dev-release/2.10.0;sentry/sentry-laravel - 2.14.2;sentry/sentry-laravel - 0.6.2;sentry/sentry-laravel - 0.10.1;sentry/sentry-laravel - dev-feature/context;sentry/sentry-laravel - dev-cache-events;sentry/sentry-laravel - dev-add-more-user-context-attributes;sentry/sentry-laravel - 2.7.0;sentry/sentry-laravel - 0.4.0;sentry/sentry-laravel - 2.13.0;sentry/sentry-laravel - dev-feature/normalize-queue-name;sentry/sentry-laravel - 0.8.2;sentry/sentry-laravel - dev-queue-improvements;sentry/sentry-laravel - dev-mdtro/add-dependency-review;sentry/sentry-laravel - 2.9.0;sentry/sentry-laravel - 2.2.0;sentry/sentry-laravel - 1.0.0-beta5;sentry/sentry-laravel - dev-first-class-callable;sentry/sentry-laravel - dev-fix-consuming-body-stream;sentry/sentry-laravel - dev-release/2.12.0;sentry/sentry-laravel - 1.7.1;sentry/sentry-laravel - dev-readme-contributing-doc-improvements;sentry/sentry-laravel - 1.0.2;sentry/sentry-laravel - dev-kamilogorek-patch-1;staufenbiel/laravel - no_fix;widdy/laravel - v5.2.0;widdy/laravel - 5.3.x-dev;croudtech/sentry-laravel - no_fix;np21/laravel - 5.3.x-dev;np21/laravel - v5.2.0;miljan9602/bugsnag-laravel - no_fix;miljan9602/bugsnag-laravel - v1.0.0;nencerpackagist/asgardcms - no_fix;dotsyntax/scaffolding - no_fix;darekmeco/platform - no_fix;darekmeco/platform - 1.0.0;folklore/laravel - v5.2.0;folklore/laravel - 5.3.x-dev;coloredcow/laravel-ccda - no_fix;milhouse1337/laravel - v5.2.24;macromindonline/sentry-laravel - no_fix;macromindonline/sentry-laravel - 0.4.1;macromindonline/sentry-laravel - 0.4.0;macromindonline/sentry-laravel - 0.6.1;macromindonline/sentry-laravel - 0.6.0;macromindonline/sentry-laravel - 0.8.0;rubenarakelyan/zomato-api-php - 5.3.x-dev;rubenarakelyan/zomato-api-php - v5.2.0;itsmill3rtime/sentry-laravel-5-7 - 10;itsmill3rtime/sentry-laravel-5-7 - 0.8.0;itsmill3rtime/sentry-laravel-5-7 - 0.1.0;itsmill3rtime/sentry-laravel-5-7 - 0.9.0;itsmill3rtime/sentry-laravel-5-7 - 0.6.1;itsmill3rtime/sentry-laravel-5-7 - 0.4.1;itsmill3rtime/sentry-laravel-5-7 - 0.9.1;itsmill3rtime/sentry-laravel-5-7 - 0.6.0;bugsnag/bugsnag-laravel - dev-laravel6-queue-tests;bugsnag/bugsnag-laravel - dev-laravel56-queue-tests;bugsnag/bugsnag-laravel - dev-discard-classes;bugsnag/bugsnag-laravel - dev-PLAT-13642-laravel12;bugsnag/bugsnag-laravel - dev-redacted-keys;bugsnag/bugsnag-laravel - v2.11.1;bugsnag/bugsnag-laravel - v2.15.0-alpha-1;bugsnag/bugsnag-laravel - dev-maze-runner-tidy;bugsnag/bugsnag-laravel - dev-laravel-9/testbench;bugsnag/bugsnag-laravel - dev-fix-unstable-tests;bugsnag/bugsnag-laravel - v2.22.2;bugsnag/bugsnag-laravel - dev-laravel8-queue-tests;bugsnag/bugsnag-laravel - v2.3.0;bugsnag/bugsnag-laravel - v2.16.0;bugsnag/bugsnag-laravel - v2.13.0;bugsnag/bugsnag-laravel - v2.8.0;bugsnag/bugsnag-laravel - dev-release/v2.25.1;bugsnag/bugsnag-laravel - v2.1.0;bugsnag/bugsnag-laravel - dev-temp/test;bugsnag/bugsnag-laravel - dev-handle-ooms;bugsnag/bugsnag-laravel - v2.7.0;bugsnag/bugsnag-laravel - dev-fixture-cleanup;bugsnag/bugsnag-laravel - v2.20.1;bugsnag/bugsnag-laravel - dev-laravel-11-context;bugsnag/bugsnag-laravel - dev-x;bugsnag/bugsnag-laravel - dev-fix-crash-when-sessions-disabled;saritasa/opbeat-laravel - 0.1.0;yozh/test-newsblog - 5.3.x-dev;yozh/test-newsblog - v5.2.0;resultsystems/school - no_fix;jjsoft-ar/platform - no_fix;morenorafael/laravel - v5.2.0;morenorafael/laravel - 5.3.x-dev;mshule/laravel-pipes - v1.2;rubenarakelyan/laravel-session-files-to-redis - v5.2.0;rubenarakelyan/laravel-session-files-to-redis - 5.3.x-dev;imagina/cms-platform - dev-upstream-master;imagina/cms-platform - dev-imaginacms8.x;shopex/luban-desktop - 5.3.x-dev;shopex/luban-desktop - v5.2.0;csgt/laravel - v5.2.0;dentro/nge.noob - v5.2.0;dentro/nge.noob - 5.3.x-dev;trungtnm/laravel - v5.2.0;trungtnm/laravel - 5.3.x-dev;bowero/laravel - 5.3.x-dev;bowero/laravel - v5.2.0;ymonkey/laravel - v5.2.0;ymonkey/laravel - 5.3.x-dev;michalwolinski/wbiztool-laravel - dev-dependabot/composer/symfony/http-foundation-4.4.7;codex/codex - 1.0.0;nbaskoff/beetlecms - v5.3.0;myckhel/laravel-example-template - v5.2.0;myckhel/laravel-example-template - 5.3.x-dev;swisnl/game-of-tests-laravel-demo - dev-dependabot/npm_and_yarn/path-parse-1.0.7;rsands2801/sentry-laravel - 0.4.1;rsands2801/sentry-laravel - 0.6.1;rsands2801/sentry-laravel - 0.4.0;rsands2801/sentry-laravel - 0.6.0;conversoft/laravel - v5.2.0;drnkwati/laravel - 5.3.x-dev;drnkwati/laravel - v5.2.0;aquaswim/laravel-with-voyager - 5.3.x-dev;aquaswim/laravel-with-voyager - v5.2.0;coco/laravel_blog - no_fix;sergeyugai/badpack - dev-dependabot/composer/symfony/http-kernel-5.4.20;asgardcms/platform - dev-dependabot/npm_and_yarn/Themes/Flatly/debug-and-browser-sync-and-compression-and-express-and-serve-index-2.6.9;asgardcms/platform - dev-dependabot/npm_and_yarn/Themes/Adminlte/axios-0.21.1;asgardcms/platform - dev-dependabot/npm_and_yarn/Themes/Flatly/marked-4.0.10;asgardcms/platform - dev-dependabot/npm_and_yarn/Themes/Adminlte/bootstrap-3.4.1;sonarsoftware/customer_portal - 1.0.25;sonarsoftware/customer_portal - dev-dependabot/npm_and_yarn/portal/axios-0.19.0;sonarsoftware/customer_portal - dev-master;wuhaohui/laravel - v5.2.0;wuhaohui/laravel - 5.3.x-dev;autotim/laravel - 5.3.x-dev;autotim/laravel - v5.2.0;alexkb/laravel-docker - 5.3.x-dev;alexkb/laravel-docker - v5.2.0;tahaghafuri/laravel-fix - v5.3.0;laravel/laravel - v5.2.0;laravel/laravel - 5.3.x-dev;aasisvinayak/shop - dev-master;brnbio/laravel - v5.2.0;brnbio/laravel - 5.3.x-dev;thelegacy/laravel - v5.3.0;chrsm/prayerletters - 5.3.x-dev;chrsm/prayerletters - v5.2.0;ziperrom1/laravel-boilerplate - no_fix;danieltorscho/laravel - v5.3.0;bkwld/decoy - 5.3.1;nosh2/nosh2 - dev-dependabot/npm_and_yarn/ini-1.3.8;nosh2/nosh2 - dev-dependabot/composer/guzzlehttp/guzzle-7.4.3;nosh2/nosh2 - no_fix;damnyan/laravel-with-useracl - no_fix;ricadesign/laravel - 5.3.x-dev;ricadesign/laravel - v5.2.0;imaginacms/platform - dev-upstream-master;imaginacms/platform - dev-imaginacms8.x;jefhar/laravel-domain-oriented - 5.3.x-dev;jefhar/laravel-domain-oriented - v5.2.0;hieofone-as/hieofone-as - no_fix;chrsc/laraadmin - 1.0.9;codicastudio/sentry - no_fix;codicastudio/sentry-laravel - no_fix;opengis/laravel-geoserver - v5.2.0;opengis/laravel-geoserver - 5.3.x-dev;prwlr/laravue - 5.3.x-dev;prwlr/laravue - v5.2.0;inklabs/kommerce-laravel - no_fix;evgenbel/platform - 2.0.1;dwij/laraadmin - 1.0.9;zaxx44a/laravel - v5.2.0;zaxx44a/laravel - 5.3.x-dev;hakoncms/hakoncms - no_fix;polly3d/laravel-kit - no_fix;vinkas/auth - dev-master;inoplate/inoplate - no_fix;phpsandbox/laravel - 5.3.x-dev;phpsandbox/laravel - v5.2.0;taerp/finance - no_fix;nirmit/laraadmin - 1.0.9;sanin/lara - no_fix;larashop/larashop - no_fix;andreadatri/maboro - no_fix;nbrabant/laraadmin - 1.0.9;googleads/googleads-php-lib - dev-PierrickVoulet-patch-1;googleads/googleads-php-lib - 39.0.0;googleads/googleads-php-lib - 37.1.0;googleads/googleads-php-lib - 46.1.0;googleads/googleads-php-lib - no_fix;whatthecode/clientify - no_fix;digbang/laravel-project - 5.3.0;laraeast/laravel - v5.3.0;burgess1109/file_transfer - no_fix;l7wahn/ladmin - 1.0.9;aerni/translator - dev-dependabot/npm_and_yarn/minimist-1.2.6;jungle-gecko/sitarium - v1.1.0;lromanzini/laravel - 5.0.x-dev;jayywalker/laravel - v5.2.0;hieofone-directory/hieofone-directory - no_fix;george/laraadmin - 1.0.9;musoftware/logger-laravel - 3.0.0;crowdtruth/crowdtruth - dev-lukasz;mmockelyn/laravel - v5.3.0;gear/laravel-starter - no_fix;auto-site-generator/laravel - v5.2.0;livecms/livecms - v1.0.1;wbswjc/laravel - v5.3.0;congraph/cms - v5.2.0;gab88slash/laravel-extended-stub - no_fix;danielstonies/sentry-laravel - 0.1.0;laravelista/kyle - 0.2.0;lv2technologies/laravel - v5.3.0;cvepdb/cms - v5.3.0;neomerx/limoncello-collins - v3.0.0-beta-2;bonsai/laravel - 5.3.x-dev;healthengine/laravel - v5.2.0;furkankadioglu/modvelbase - no_fix;deadem/djem - no_fix;laravelfy/laravel - v5.3.0;burgess1109/file_package - no_fix;c57fr/l5 - v5.3.0;tjventurini/laravel-blueprint - 5.3.x-dev;shridharkaushik29/laravel-angular - v5.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us