Goobi Viewer XSS via Comment Field before 23.03
CVE-2023-29015 Published on April 6, 2023
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. The vulnerability has been fixed in version 23.03.
Vulnerability Analysis
CVE-2023-29015 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-29015 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-29015
Want to know whenever a new CVE is published for Intranda Goobi Viewer Core? stack.watch will email you.
Affected Versions
intranda goobi-viewer-core Version < 23.03 is affected by CVE-2023-29015Vulnerable Packages
The following package name and versions may be associated with CVE-2023-29015
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.goobi.viewer:viewer-core | < 23.03 | 23.03 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.