CVE-2019-13122 — MEDIUM (6.1)

Q: How severe is CVE-2019-13122?

CVE-2019-13122 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-13122?

Check the references section above for vendor advisories and patch information. Affected products include: Ozlabs Patchwork.

Vulnerability Description

A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Ozlabs	Patchwork	>= 1.1, < 2.0.4

Related Weaknesses (CWE)

CWE-79

References

http://jk.ozlabs.org/projects/patchwork/Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/07/05/1Mailing ListThird Party Advisory
https://github.com/getpatchwork/patchwork/commits/masterThird Party Advisory
https://github.com/getpatchwork/patchwork/releasesRelease NotesThird Party Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.htmlMailing ListVendor Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.htmlMailing ListVendor Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.htmlVendor Advisory
http://jk.ozlabs.org/projects/patchwork/Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/07/05/1Mailing ListThird Party Advisory
https://github.com/getpatchwork/patchwork/commits/masterThird Party Advisory
https://github.com/getpatchwork/patchwork/releasesRelease NotesThird Party Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.htmlMailing ListVendor Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.htmlMailing ListVendor Advisory
https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.htmlVendor Advisory

FAQ

What is CVE-2019-13122?

CVE-2019-13122 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch d...

How severe is CVE-2019-13122?

CVE-2019-13122 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-13122?

Check the references section above for vendor advisories and patch information. Affected products include: Ozlabs Patchwork.