[MAVEN:GHSA-2PWH-52H7-7J84] JavaScript execution via malicious molfiles (XSS)
Severity
Moderate
Affected Packages
1
Fixed Packages
1
Impact
The viewer plugin implementation of <mol:molecule> renders molfile data directly inside a <script> tag without any escaping. Arbitrary JavaScript code can thus be executed in the client browser via crafted molfiles.
Patches
Patched in v0.3.0: Molfile data is now rendered as value of a hidden <input> tag and escaped via JSF's mechanisms.
Workarounds
No workaround available.
| Package | Affected Version |
|---|---|
 pkg:maven/de.ipb-halle/molecularfaces
|
< 0.3.0 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/de.ipb-halle/molecularfaces
|
= 0.3.0 |
- ID
- MAVEN:GHSA-2PWH-52H7-7J84
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-2pwh-52h7-7j84
- Published
-
2021-04-16T19:52:49
(3 years ago) - Modified
-
2023-01-09T05:04:26
(20 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/de.ipb-halle/molecularfaces | de.ipb-halle |
molecularfaces
|
< 0.3.0 | |||
| Fixed | pkg:maven/de.ipb-halle/molecularfaces | de.ipb-halle |
molecularfaces
|
= 0.3.0 |