Vulnerability Description
An issue was discovered in hledger before 1.23. A Stored Cross-Site Scripting (XSS) vulnerability exists in toBloodhoundJson that allows an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the atob function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hledger | Hledger | < 1.23 |
Related Weaknesses (CWE)
References
- https://github.com/simonmichael/hledger/issues/1525ExploitIssue TrackingVendor Advisory
- https://github.com/simonmichael/hledger/pull/1663ExploitIssue TrackingPatch
- https://github.com/simonmichael/hledger/releases/tag/1.23Release Notes
- https://www.youtube.com/watch?v=QnRO-VkfIicExploitThird Party Advisory
- https://github.com/simonmichael/hledger/issues/1525ExploitIssue TrackingVendor Advisory
- https://github.com/simonmichael/hledger/pull/1663ExploitIssue TrackingPatch
- https://github.com/simonmichael/hledger/releases/tag/1.23Release Notes
- https://www.youtube.com/watch?v=QnRO-VkfIicExploitThird Party Advisory
FAQ
What is CVE-2021-46888?
CVE-2021-46888 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An issue was discovered in hledger before 1.23. A Stored Cross-Site Scripting (XSS) vulnerability exists in toBloodhoundJson that allows an attacker to execute JavaScript by encoding user-controlled v...
How severe is CVE-2021-46888?
CVE-2021-46888 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-46888?
Check the references section above for vendor advisories and patch information. Affected products include: Hledger Hledger.