CVE-2019-13122

Name
CVE-2019-13122
Description
A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory http://jk.ozlabs.org/projects/patchwork/
Vendor Advisory https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.html
Mailing List https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html
Mailing List https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.html
Release Notes https://github.com/getpatchwork/patchwork/releases
Third Party Advisory https://github.com/getpatchwork/patchwork/commits/master
Mailing List http://www.openwall.com/lists/oss-security/2019/07/05/1

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ozlabs:patchwork:*:*:*:*:*:*:*:* patchwork >= 1.1 < 2.0.4
cpe:2.3:a:ozlabs:patchwork:*:*:*:*:*:*:*:* patchwork >= 2.1.0 < 2.1.4
cpe:2.3:a:ozlabs:patchwork:2.1.0:rc1:*:*:*:*:*:* patchwork == None == 2.1.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status