CVE-2024-23341 MEDIUM

CVE-2024-23341: TuiTse-TsuSin html injection vulnerability in `tuitse_html` function

Vendor I3Thuan5

Product TuiTse-TsuSin

Weakness CWE-79 · XSS

Published January 23, 2024

Last update September 11, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using `tuitse_html` without quoting the input, there is a html injection vulnerability. Version 1.3.2 contains a patch for the issue. As a workaround, sanitize Taigi input with HTML quotation.

Key dates

02Disclosure timeline

January 23, 2024 CVE published

September 11, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-23341 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-6256 Feeds for YouTube (YouTube video, channel, and gallery plugin) <= 2.2.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting CVE-2024-0508 Orbit Fox by ThemeIsle <= 2.10.27 - Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget CVE-2024-10112 Simple News <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode CVE-2025-8722 Content Views <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Grid and List Widgets CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting