Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-40024

Good to know:

icon
icon

Date: August 14, 2023

ScanCode.io is a server to script and automate software composition analysis pipelines. In the "/license/" endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the "license_details_view" function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release "32.5.2". Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

Related Resources (6)

https://github.com/nexB/scancode.io/blob/dd7769fbc97c84545579cebf1dc4838214098a11/CHANGELOG.rst#v3252-2023-08-14
https://nvd.nist.gov/vuln/detail/CVE-2023-40024
https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj
https://github.com/nexB/scancode.io
https://github.com/nexB/scancode.io/releases/tag/v32.5.2
https://www.mend.io/vulnerability-database/CVE-2023-40024

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version scancodeio - 32.5.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us