CVE-2023-37272 MEDIUM

CVE-2023-37272: XSS vulnerability in JOC Cockpit branch 1.13

Vendor Sos-Berlin

Product joc-cockpit

Weakness CWE-79 · XSS

Published July 13, 2023

Last update October 21, 2024

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.

Key dates

02Disclosure timeline

July 13, 2023 CVE published

October 21, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-37272 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-37272: XSS vulnerability in JOC Cockpit branch 1.13

01Description

02Disclosure timeline

03References

04Related CVE