CVE-2023-26771 — MEDIUM (6.5)

Vulnerability Description

Taskcafe 0.3.2 is vulnerable to Cross Site Scripting (XSS). There is a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload on it. An authenticated attacker can exploit this vulnerability by uploading a malicious picture which will trigger the payload when the victim opens the file.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Taskcafe Project	Taskcafe	0.3.2

Related Weaknesses (CWE)

CWE-79

References

https://bishopfox.com/blog/taskcafe-version-0-3-2-advisoryExploitThird Party Advisory
https://github.com/JordanKnott/taskcafeProduct

FAQ

What is CVE-2023-26771?

CVE-2023-26771 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Taskcafe 0.3.2 is vulnerable to Cross Site Scripting (XSS). There is a lack of validation in the filetype when uploading a SVG profile picture with a XSS payload on it. An authenticated attacker can e...

How severe is CVE-2023-26771?

CVE-2023-26771 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26771?

Check the references section above for vendor advisories and patch information. Affected products include: Taskcafe Project Taskcafe.