CVE-2019-3865

CWE-79 — Cross-site Scripting (XSS)CWE-416 — Use After Free52 documents5 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 42.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

[unknown] Quay Redhat Quay

Timeline

PublishedJun 22

Latest updateMay 24

Description

A vulnerability was found in quay-2, where a stored XSS vulnerability has been found in the super user function of quay. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDredhat/quay2.0.0

▶CVEListV5[unknown]/quayquay 2

🔴Vulnerability Details

GHSA

GHSA-pgwc-cqjm-w595: A vulnerability was found in quay-2, where a stored XSS vulnerability has been found in the super user function of quay↗2022-05-24

▶

CVEList

CVE-2019-3865: A vulnerability was found in quay-2, where a stored XSS vulnerability has been found in the super user function of quay↗2020-06-22

▶

📋Vendor Advisories

Red Hat

quay: Stored XSS in super user function↗2019-11-03

▶

Red Hat

chromium-browser: Use-after-free in IndexedDB↗2019-10-10

▶

Red Hat

chromium-browser: Use-after-free in audio↗2019-10-10

▶

Red Hat

chromium-browser: Cross-origin size leak↗2019-10-10

▶

Red Hat

chromium-browser: Use-after-free in WebRTC↗2019-10-10

▶

💬Community

Bugzilla

CVE-2019-3865 quay: Stored XSS in super user function↗2019-11-04

▶