Source: graphite-web Version: 1.1.8-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for graphite-web. Filling with RC severity is slightly borderline, but we should assure graphite-web is oon that regard uptodate in bookworm. CVE-2022-4728[0]: | A vulnerability has been found in Graphite Web and classified as | problematic. This vulnerability affects unknown code of the component | Cookie Handler. The manipulation leads to cross site scripting. The | attack can be initiated remotely. The exploit has been disclosed to | the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. VDB-216742 is the identifier assigned to this | vulnerability. CVE-2022-4729[1]: | A vulnerability was found in Graphite Web and classified as | problematic. This issue affects some unknown processing of the | component Template Name Handler. The manipulation leads to cross site | scripting. The attack may be initiated remotely. The exploit has been | disclosed to the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. The associated identifier of this | vulnerability is VDB-216743. CVE-2022-4730[2]: | A vulnerability was found in Graphite Web. It has been classified as | problematic. Affected is an unknown function of the component Absolute | Time Range Handler. The manipulation leads to cross site scripting. It | is possible to launch the attack remotely. The exploit has been | disclosed to the public and may be used. The name of the patch is | 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a | patch to fix this issue. The identifier of this vulnerability is | VDB-216744. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-4728 https://www.cve.org/CVERecord?id=CVE-2022-4728 [1] https://security-tracker.debian.org/tracker/CVE-2022-4729 https://www.cve.org/CVERecord?id=CVE-2022-4729 [2] https://security-tracker.debian.org/tracker/CVE-2022-4730 https://www.cve.org/CVERecord?id=CVE-2022-4730 Regards, Salvatore