CVE-2023-29014
published 2023-04-06CVE-2023-29014: The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.44%
35.4th percentile
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intranda | goobi-viewer-core | < 23.03 | 23.03 |
| intranda | goobi_viewer_core | < 23.03 | 23.03 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
osv·2023-04-07
CVE-2023-29014 [MEDIUM] Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
### Impact
A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser.
### Patches
The vulnerability has been fixed in version 23.03
### Credits
We would like to thank [RUS-CERT](https://cert.uni-stuttgart.de/) for reporting this issues.
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
GHSA
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
ghsa·2023-04-07
CVE-2023-29014 [MEDIUM] CWE-79 Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
### Impact
A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser.
### Patches
The vulnerability has been fixed in version 23.03
### Credits
We would like to thank [RUS-CERT](https://cert.uni-stuttgart.de/) for reporting this issues.
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2
2023-04-06
Published