Skip to content

Cross-site Scripting in Serenity

Moderate severity GitHub Reviewed Published Feb 19, 2024 to the GitHub Advisory Database • Updated Feb 20, 2024

Package

npm @serenity-is/corelib (npm)

Affected versions

< 6.8.0

Patched versions

6.8.0
nuget Serenity.Net.Core (NuGet)
< 6.8.0
6.8.0

Description

Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.

References

Published by the National Vulnerability Database Feb 19, 2024
Published to the GitHub Advisory Database Feb 19, 2024
Reviewed Feb 20, 2024
Last updated Feb 20, 2024

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(11th percentile)

Weaknesses

CVE ID

CVE-2024-26318

GHSA ID

GHSA-5jjq-8cvj-v6m9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.