Vulnerability Description
JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sos-Berlin | Jobscheduler | < 1.13.19 |
Related Weaknesses (CWE)
References
- https://change.sos-berlin.com/browse/SET-226PatchVendor Advisory
- https://github.com/sos-berlin/joc-cockpit/security/advisories/GHSA-qr44-gm3x-7hfThird Party Advisory
- https://change.sos-berlin.com/browse/SET-226PatchVendor Advisory
- https://github.com/sos-berlin/joc-cockpit/security/advisories/GHSA-qr44-gm3x-7hfThird Party Advisory
FAQ
What is CVE-2023-37272?
CVE-2023-37272 is a vulnerability with a CVSS score of 6.3 (MEDIUM). JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject c...
How severe is CVE-2023-37272?
CVE-2023-37272 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-37272?
Check the references section above for vendor advisories and patch information. Affected products include: Sos-Berlin Jobscheduler.