Home > Vulnerability Database > CVE-2024-27290

Mend.io Vulnerability Database

CVE-2024-27290

Good to know:

Date: February 29, 2024

Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.

Language: Python

Severity Score

6.1

Related Resources (5)

Url: https://github.com/jhpyle/docassemble

Url: https://github.com/jhpyle/docassemble/security/advisories/GHSA-pcfx-g2j2-f6f6

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27290

Url: https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa

Url: https://www.mend.io/vulnerability-database/CVE-2024-27290

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version docassemble.webapp - 1.4.97

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27290

Good to know:

Date: February 29, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?