CVE-2023-24065
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Stored XSS vulnerability in NOSH ChartingSystem version git-4a5cfdbd73f6a2ab5ee43a33d173c46fe0271533 via the create user page. | |
| [Description] | |
| Nosh, as implemented in docker-nosh allows stored XSS via the | |
| create user page. For example, a first name (of a physician, | |
| assistant, or billing user) can have a JavaScript payload that is | |
| executed upon visiting the /users/2/1 page. | |
| Attempted to contact the vendor and have not received a response. | |
| [Vulnerability Type] | |
| Cross Site Scripting (XSS) | |
| [Vendor of Product] | |
| https://github.com/shihjay2/docker-nosh | |
| [Affected Product Code Base] | |
| NOSH ChartingSystem - Version git-4a5cfdbd73f6a2ab5ee43a33d173c46fe0271533 | |
| [Affected Component] | |
| The Create user functionality is vulnerable | |
| [Attack Type] | |
| Context-dependent | |
| [CVE Impact Other] | |
| Javascript code execution in users browser. | |
| [Reference] | |
| https://demo.noshchartingsystem.com/ | |
| https://noshemr.wordpress.com/ | |
| https://github.com/shihjay2/docker-nosh | |
| https://github.com/shihjay2/nosh2/issues/202 | |
| # This vulnerability has a CVSS score of 4.3 | |
| # More information: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L | |
| [Discoverer] | |
| Mr Charalampos Theodorou |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment