Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
WS-2023-0062
Date: February 20, 2023
In galaxyproject/galaxy, the 'description' and 'synopsis' fields of libraries are vulnerable to stored XSS injection. If a user sets the synopsis or description of a library to ''"><img src=x onerror=alert(1);>' they can set a stored XSS payload that fires whenever someone visits the /libraries page. Normally libraries are only editable by admins, but it is possible for admins to give edit permissions for specific libraries to regular users, meaning that this vulnerability could be used by an attacker on a normal user account if an admin gives them edit permission for a library.
Language: Python
Severity Score
Severity Score
Weakness Type (CWE)
Cross-Site Scripting (XSS)
CWE-79CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | REQUIRED |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | NONE |