CVE-2024-51989— Password Pusher 跨站脚本漏洞

Cross-site Scripting (XSS) Vulnerability in PasswordPusher

Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability. ### Solution Update to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible,

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Password Pusher 跨站脚本漏洞

Password Pusher是Peter Giacomo Lombardo个人开发者的一个开源应用程序，用于在网络上传递敏感信息。 Password Pusher存在跨站脚本漏洞，该漏洞源于一个未清理的参数。攻击者利用该漏洞可以导致跨站脚本漏洞。

N/A

N/A