Homepage

Cross-site Scripting (XSS) Affecting patchwork package, versions <1.1.3-r1

Severity

 Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.63% (80th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALPINE37-PATCHWORK-452905
  • published24 Jul 2019
  • disclosed10 Jul 2019
Report a new vulnerability Found a mistake?

Introduced: 10 Jul 2019

CVE-2019-13122  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Alpine:3.7 patchwork to version 1.1.3-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream patchwork package and not the patchwork package as distributed by Alpine. See How to fix? for Alpine:3.7 relevant fixed versions and status.

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.