CVE-2022-2514

Cross-site Scripting (XSS) - Reflected in beancount/fava

CVSS 8 HIGHEPSS 0.7%CWE-79

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected products

beancount · beancount/fava

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429