CVE-2023-28485
Last modified
CVE-2023-28485 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.. EPSS estimates a 0.97% chance of exploitation in the next 30 days.
Description
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Any user can obtain the privilege to rename within their own board (where they have BoardAdmin access), and renameAttachment does not block XSS payloads.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wekan Project | Wekan | < 6.75 |
References
- http://packetstormsecurity.com/files/172649/Wekan-6.74-Cross-Site-Scripting.htmlExploit, Third Party Advisory, VDB Entry
- https://wekan.github.io/Product
- https://wekan.github.io/hall-of-fame/filebleed/Exploit, Vendor Advisory
- http://packetstormsecurity.com/files/172649/Wekan-6.74-Cross-Site-Scripting.htmlExploit, Third Party Advisory, VDB Entry
- https://wekan.github.io/Product
- https://wekan.github.io/hall-of-fame/filebleed/Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-28485?
How severe is CVE-2023-28485?
How do I fix CVE-2023-28485?
Are you affected by CVE-2023-28485?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST