Passbolt API allows HTML injection
Moderate severity
GitHub Reviewed
Published
Apr 26, 2024
to the GitHub Advisory Database
•
Updated Apr 26, 2024
Description
Published by the National Vulnerability Database
Apr 26, 2024
Published to the GitHub Advisory Database
Apr 26, 2024
Reviewed
Apr 26, 2024
Last updated
Apr 26, 2024
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.
References