CVE-2023-29016 MEDIUM

CVE-2023-29016: Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames

Vendor Intranda

Product goobi-viewer-core

Weakness CWE-79 · XSS

Published April 6, 2023

Last update February 10, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03.

Key dates

02Disclosure timeline

April 6, 2023 CVE published

February 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-29016 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-29016: Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames

01Description

02Disclosure timeline

03References

04Related CVE