Goobi Viewer XSS via LOGID prior to 23.03
CVE-2023-29014 Published on April 6, 2023
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.
Vulnerability Analysis
CVE-2023-29014 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-29014 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-29014
Want to know whenever a new CVE is published for Intranda Goobi Viewer Core? stack.watch will email you.
Affected Versions
intranda goobi-viewer-core Version < 23.03 is affected by CVE-2023-29014Vulnerable Packages
The following package name and versions may be associated with CVE-2023-29014
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.goobi.viewer:viewer-core | < 23.03 | 23.03 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.