[MAVEN:GHSA-2PWH-52H7-7J84] JavaScript execution via malicious molfiles (XSS)
Severity
Moderate
Affected Packages
1
Fixed Packages
1
Impact
The viewer plugin implementation of <mol:molecule>
renders molfile data directly inside a <script>
tag without any escaping. Arbitrary JavaScript code can thus be executed in the client browser via crafted molfiles.
Patches
Patched in v0.3.0: Molfile data is now rendered as value of a hidden <input>
tag and escaped via JSF's mechanisms.
Workarounds
No workaround available.
Package | Affected Version |
---|---|
pkg:maven/de.ipb-halle/molecularfaces | < 0.3.0 |
Package | Fixed Version |
---|---|
pkg:maven/de.ipb-halle/molecularfaces | = 0.3.0 |
- ID
- MAVEN:GHSA-2PWH-52H7-7J84
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-2pwh-52h7-7j84
- Published
-
2021-04-16T19:52:49
(3 years ago) - Modified
-
2023-01-09T05:04:26
(20 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/de.ipb-halle/molecularfaces | de.ipb-halle | molecularfaces | < 0.3.0 | |||
Fixed | pkg:maven/de.ipb-halle/molecularfaces | de.ipb-halle | molecularfaces | = 0.3.0 |