漏洞标题
LeafKit允许使用未信任的用户提供XSS攻击。
漏洞描述信息
LeafKit允许使用不受信任的用户输入执行XSS攻击
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
LeafKit allows XSS with untrusted user input
漏洞描述信息
Leafkit is a templating language with Swift-inspired syntax. Versions prior to 1.3.0 are susceptible to Cross-site Scripting (XSS) attacks. This affects anyone passing unsanitised data to Leaf's variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled. This has been patched in 1.3.0. As a workaround sanitize any untrusted input before passing it to Leaf and enable a CSP to block inline script and CSS data.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
leafkit 跨站脚本漏洞
漏洞描述信息
leafkit是一个应用软件。使用 Swift 创建模块化服务器端软件。 Leafkit 1.3.0之前版本存在跨站脚本漏洞,这会影响任何将未经处理的数据传递给Leaf变量标签的用户。Leaf不会转义任何作为变量传递给标签的字符串。攻击者可利用该漏洞设法找到未经数据处理而呈现的一个变量,攻击者可以将脚本注入到生成的Leaf页面中,如果没有启用内容安全策略等其他缓解措施,这可能会触发跨站脚本攻击。
CVSS信息
N/A
漏洞类别
跨站脚本