Vulnerability Description
Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Part-Db Project | Part-Db | >= 1.0.0, < 1.0.2 |
Related Weaknesses (CWE)
References
- https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e0Patch
- https://github.com/Part-DB/Part-DB-server/pull/227Issue Tracking
- https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2Release Notes
- https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2PatchVendor Advisory
- https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e0Patch
- https://github.com/Part-DB/Part-DB-server/pull/227Issue Tracking
- https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2Release Notes
- https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2PatchVendor Advisory
FAQ
What is CVE-2023-26042?
CVE-2023-26042 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the p...
How severe is CVE-2023-26042?
CVE-2023-26042 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26042?
Check the references section above for vendor advisories and patch information. Affected products include: Part-Db Project Part-Db.