Goobi Viewer XSS via Nickname - Fixed in 23.03
CVE-2023-29016 Published on April 6, 2023
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03.
Vulnerability Analysis
CVE-2023-29016 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-29016 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-29016
Want to know whenever a new CVE is published for Intranda Goobi Viewer Core? stack.watch will email you.
Affected Versions
intranda goobi-viewer-core Version < 23.03 is affected by CVE-2023-29016Vulnerable Packages
The following package name and versions may be associated with CVE-2023-29016
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.goobi.viewer:viewer-core | < 23.03 | 23.03 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.