CVE-2019-10779

Published: Jan 28, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.

Affected (2)

Products: Gchq: Stroom

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gchq Stroom	Before 5.5.12
Gchq Stroom	From 6.0 to 6.0.25

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://snyk.io/vuln/SNYK-JAVA-STROOM-541182

Source: report@snyk.io

ExploitThird Party Advisory

https://snyk.io/vuln/SNYK-JAVA-STROOM-541182

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.