Home > Vulnerability Database > CVE-2023-40024

Mend.io Vulnerability Database

CVE-2023-40024

Good to know:

Date: August 14, 2023

ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Python

Severity Score

6.1

Related Resources (4)

Url: https://github.com/nexB/scancode.io/blob/dd7769fbc97c84545579cebf1dc4838214098a11/CHANGELOG.rst#v3252-2023-08-14

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40024

Url: https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj

Url: https://www.mend.io/vulnerability-database/CVE-2023-40024

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version scancodeio - 32.5.2

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40024

Good to know:

Date: August 14, 2023

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?