CVE-2019-7250 — MEDIUM (6.1)

Vulnerability Description

An issue was discovered in the Cross Reference Add-on 36 for Google Docs. Stored XSS in the preview boxes in the configuration panel may allow a malicious user to use both label text and references text to inject arbitrary JavaScript code (via SCRIPT elements, event handlers, etc.). Since this code is stored by the plugin, the attacker may be able to target anyone who opens the configuration panel of the plugin.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Cross Reference Project	Cross Reference	36

Related Weaknesses (CWE)

CWE-79

References

https://github.com/davidrthorn/cross_reference/issues/32ExploitThird Party Advisory
https://github.com/davidrthorn/cross_reference/issues/32ExploitThird Party Advisory

FAQ

What is CVE-2019-7250?

CVE-2019-7250 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in the Cross Reference Add-on 36 for Google Docs. Stored XSS in the preview boxes in the configuration panel may allow a malicious user to use both label text and references te...

How severe is CVE-2019-7250?

CVE-2019-7250 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-7250?

Check the references section above for vendor advisories and patch information. Affected products include: Cross Reference Project Cross Reference.