Fava vulnerable to Reflected Cross-site Scripting
Moderate severity
GitHub Reviewed
Published
Jul 26, 2022
to the GitHub Advisory Database
•
Updated Sep 20, 2024
Description
Published by the National Vulnerability Database
Jul 25, 2022
Published to the GitHub Advisory Database
Jul 26, 2022
Reviewed
Aug 6, 2022
Last updated
Sep 20, 2024
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.
The
query_string
parameter of Fava is vulnerable to reflected cross-site scripting, for which a attacker can modify any information that the user is able to modify. This issue is fixed in version 1.22.2.References