CVE-2023-25827 HIGH

CVE-2023-25827: Cross-site Scripting in OpenTSDB

Vendor Opentsdb
Product OpenTSDB
Weakness CWE-79 · XSS
Published May 3, 2023
Last update February 12, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

Key dates

02Disclosure timeline

May 3, 2023 CVE published
February 12, 2025 Record updated