CVE-2023-1316
published 2023-03-10CVE-2023-1316: Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.51%
39.8th percentile
Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enhancesoft | osticket | < 1.16.6 | 1.16.6 |
| github.com | spinnaker_spinnaker | >= 1.29.0 | — |
| github.com | spinnaker_spinnaker | >= 1.30.0 | — |
| github.com | spinnaker_spinnaker | >= 1.31.0 | — |
| osticket | osticket_osticket | >= unspecified < v1.16.6 | v1.16.6 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.04.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper log output when using GitHub Status Notifications in spinnaker
ghsa·2023-08-29
CVE-2023-39348 [MEDIUM] CWE-532 Improper log output when using GitHub Status Notifications in spinnaker
Improper log output when using GitHub Status Notifications in spinnaker
### Impact
ONLY IMPACTS those use GitHub Status Notifications
Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log system, the risk is slightly higher than a "low" since token exposure could grant elevated access to repositories outside of control. If using READ restricted tokens, the exposure is such that the token itself could be used to access resources otherwise restricted from reads.
### Patches
Patch is in progress. https://github.com/spinnaker/echo/pull/1316
### Workarounds
Disable GH Status Notifications. Filter your logs for Echo log d
GHSA
GHSA-56xv-vr33-49x9: Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1
ghsa_unreviewed·2023-03-10
CVE-2023-1316 [MEDIUM] CWE-79 GHSA-56xv-vr33-49x9: Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1
Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-10
Published