CVE-2022-27476
published 2022-04-10CVE-2022-27476: A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted…
PriorityP422medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.55%
41.6th percentile
A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| newbee-mall_project | newbee-mall | — | — |
| osgeo | owslib | >= 0 < 0.28.1 | 0.28.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OWSLib vulnerable to XML External Entity (XXE) Injection
ghsa·2023-03-07
CVE-2023-27476 [HIGH] CWE-611 OWSLib vulnerable to XML External Entity (XXE) Injection
OWSLib vulnerable to XML External Entity (XXE) Injection
### Impact
OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution for `lxml`, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase.
### Patches
- Use only lxml for XML handling, adding `resolve_entities=False` to `lxml`'s parser: https://github.com/geopython/OWSLib/pull/863
### Workarounds
```python
patch_well_known_namespaces(etree)
etree.set_default_parser(
parser=etree.XMLParser(resolve_entities=False)
)
```
### References
- [`GHSL-2022-131`](https://securitylab.github.com/advisories/GHSL-2022-131_OWSLib/)
GHSA
GHSA-r249-7c63-4pf8: A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1
ghsa_unreviewed·2022-04-11
CVE-2022-27476 [MEDIUM] CWE-79 GHSA-r249-7c63-4pf8: A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1
A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-10
Published