Source: fava X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for fava. CVE-2022-2514[0]: | The time and filter parameters in Fava prior to v1.22 are vulnerable | to reflected XSS due to the lack of escaping of error messages which | contained the parameters in verbatim. https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429 https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22) CVE-2022-2523[1]: | Cross-site Scripting (XSS) - Reflected in GitHub repository | beancount/fava prior to 1.22.2. https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) CVE-2022-2589[2]: | Cross-site Scripting (XSS) - Reflected in GitHub repository | beancount/fava prior to 1.22.3. https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/ https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539 (v1.22.3) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2514 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2514 [1] https://security-tracker.debian.org/tracker/CVE-2022-2523 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2523 [2] https://security-tracker.debian.org/tracker/CVE-2022-2589 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2589 Please adjust the affected versions in the BTS as needed.
