CVE-2024-27290 MEDIUM

CVE-2024-27290: Docassemble HTML and javascript injection

Vendor Jhpyle

Product docassemble

Weakness CWE-79 · XSS

Published February 29, 2024

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.

Key dates

Disclosure timeline

February 29, 2024 CVE published

August 5, 2024 Record updated