CVE-2023-1270
published 2023-03-08CVE-2023-1270: Cross-site Scripting in GitHub repository btcpayserver/btcpayserver prior to 1.8.3.
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.35%
26.9th percentile
Cross-site Scripting in GitHub repository btcpayserver/btcpayserver prior to 1.8.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| btcpayserver | btcpayserver | < 1.8.3 | 1.8.3 |
| btcpayserver | btcpayserver_btcpayserver | >= unspecified < 1.8.3 | 1.8.3 |
| github.com | neuvector_neuvector | >= 0 < 0.0.0-20231003121714-be746957ee7c | 0.0.0-20231003121714-be746957ee7c |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.1MEDIUMCVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
JWT token compromise can allow malicious actions including Remote Code Execution (RCE)
ghsa·2023-10-06
CVE-2023-32188 [CRITICAL] CWE-1270 JWT token compromise can allow malicious actions including Remote Code Execution (RCE)
JWT token compromise can allow malicious actions including Remote Code Execution (RCE)
### Impact
A user can reverse engineer the JWT token (JSON Web Token) used in authentication for Manager and API access, forging a valid NeuVector Token to perform malicious activity in NeuVector. This can lead to an RCE.
### Patches
Upgrade to NeuVector [version 5.2.2](https://open-docs.neuvector.com/releasenotes/5x) or later and latest Helm chart (2.6.3+).
+ In 5.2.2 the certificate for JWT-signing is created automatically by controller with validity of 90days and rotated automatically.
+ Use Helm-based deployment/upgrade to 5.2.2 to generate a unique certificate for Manager, REST API, ahd registry adapter. Helm based installation/upgrade is required in order to automatically generate certificates
GHSA
GHSA-xfm4-w623-4vcg: Command Injection in GitHub repository btcpayserver/btcpayserver prior to 1
ghsa_unreviewed·2023-03-08
CVE-2023-1270 [MEDIUM] CWE-77 GHSA-xfm4-w623-4vcg: Command Injection in GitHub repository btcpayserver/btcpayserver prior to 1
Command Injection in GitHub repository btcpayserver/btcpayserver prior to 1.8.3.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/btcpayserver/btcpayserver/commit/7b5ce8f70c060b01990d3f7109e97e0144d878a4https://huntr.dev/bounties/ad1f917f-2b25-40ef-9215-c805354c683bhttps://github.com/btcpayserver/btcpayserver/commit/7b5ce8f70c060b01990d3f7109e97e0144d878a4https://huntr.dev/bounties/ad1f917f-2b25-40ef-9215-c805354c683b
2023-03-08
Published