Search criteria
8 vulnerabilities found for goobi_viewer_core by intranda
CVE-2023-29016 (GCVE-0-2023-29016)
Vulnerability from nvd – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:27.122227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:32.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile\u0027s nickname, resulting in the execution in the user\u0027s browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:26.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"source": {
"advisory": "GHSA-2r9r-8fcg-m38g",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29016",
"datePublished": "2023-04-06T19:03:26.948Z",
"dateReserved": "2023-03-29T17:39:16.144Z",
"dateUpdated": "2025-02-10T16:11:32.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29015 (GCVE-0-2023-29015)
Vulnerability from nvd – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:53.838013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:59.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user\u0027s browser when displaying the comment. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:23.713Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"source": {
"advisory": "GHSA-622w-995c-3c3h",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29015",
"datePublished": "2023-04-06T19:03:23.713Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:11:59.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29014 (GCVE-0-2023-29014)
Vulnerability from nvd – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:12
VLAI
Title
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:12:19.552877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:12:23.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user\u0027s browser. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:19.967Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"source": {
"advisory": "GHSA-7v7g-9vx6-vcg2",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29014",
"datePublished": "2023-04-06T19:03:19.967Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:12:23.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15124 (GCVE-0-2020-15124)
Vulnerability from nvd – Published: 2020-07-22 17:35 – Updated: 2024-08-04 13:08
VLAI
Title
Path traversal in Goobi viewer Core
Summary
In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3
Severity
9.6 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 4.8.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-22T17:35:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Goobi viewer Core",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15124",
"STATE": "PUBLIC",
"TITLE": "Path traversal in Goobi viewer Core"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "goobi-viewer-core",
"version": {
"version_data": [
{
"version_value": "\u003c 4.8.3"
}
]
}
}
]
},
"vendor_name": "intranda"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63",
"refsource": "CONFIRM",
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3",
"refsource": "MISC",
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
]
},
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15124",
"datePublished": "2020-07-22T17:35:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29016 (GCVE-0-2023-29016)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:27.122227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:32.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile\u0027s nickname, resulting in the execution in the user\u0027s browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:26.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"source": {
"advisory": "GHSA-2r9r-8fcg-m38g",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29016",
"datePublished": "2023-04-06T19:03:26.948Z",
"dateReserved": "2023-03-29T17:39:16.144Z",
"dateUpdated": "2025-02-10T16:11:32.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29015 (GCVE-0-2023-29015)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:53.838013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:59.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user\u0027s browser when displaying the comment. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:23.713Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"source": {
"advisory": "GHSA-622w-995c-3c3h",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29015",
"datePublished": "2023-04-06T19:03:23.713Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:11:59.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29014 (GCVE-0-2023-29014)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:12
VLAI
Title
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:12:19.552877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:12:23.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user\u0027s browser. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:19.967Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"source": {
"advisory": "GHSA-7v7g-9vx6-vcg2",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29014",
"datePublished": "2023-04-06T19:03:19.967Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:12:23.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15124 (GCVE-0-2020-15124)
Vulnerability from cvelistv5 – Published: 2020-07-22 17:35 – Updated: 2024-08-04 13:08
VLAI
Title
Path traversal in Goobi viewer Core
Summary
In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3
Severity
9.6 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 4.8.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-22T17:35:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Goobi viewer Core",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15124",
"STATE": "PUBLIC",
"TITLE": "Path traversal in Goobi viewer Core"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "goobi-viewer-core",
"version": {
"version_data": [
{
"version_value": "\u003c 4.8.3"
}
]
}
}
]
},
"vendor_name": "intranda"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63",
"refsource": "CONFIRM",
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3",
"refsource": "MISC",
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
]
},
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15124",
"datePublished": "2020-07-22T17:35:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}