漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
marimo < 0.23.9 XSS via file Query Parameter in assets.py
Vulnerability Description
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
marimo 跨站脚本漏洞
Vulnerability Description
marimo是marimo团队开源的一个交互式Python笔记本,支持响应式编程和SQL查询。 marimo 0.23.9之前版本存在跨站脚本漏洞,该漏洞源于文件查询参数中单引号转义不当,导致反射型跨站脚本。攻击者可利用以__new__开头的恶意有效载荷绕过404检查,在无需内容安全策略限制的情况下注入任意JavaScript。
CVSS Information
N/A
Vulnerability Type
N/A