CVE-2023-26042

moderate-risk
Published 2023-02-27

Part-DB is an open source inventory management system for your electronic components. User input was found not being properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. The Content-Security-Policy forbids inline and external scripts so it is not possible to execute JavaScript code, unless in combination with other vulnerabilities. There are no workarounds, please upgrade to Pat-DB 1.0.2 or later.

Do I need to act?

-
0.55% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Part-Db Project

References (8)

Patch https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e0...
Issue Tracking https://github.com/Part-DB/Part-DB-server/pull/227
Release Notes https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2
Patch https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2...
Patch https://github.com/Part-DB/Part-DB-server/commit/5b7f44f4eaacad8a79bcedec32780e0...
Issue Tracking https://github.com/Part-DB/Part-DB-server/pull/227
Release Notes https://github.com/Part-DB/Part-DB-server/releases/tag/v1.0.2
Patch https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-9pmh-gmxx-rg2...
30
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal