CVE-2024-26318: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

February 19, 2024 (updated February 20, 2024)

Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.

References

github.com/advisories/GHSA-5jjq-8cvj-v6m9
nvd.nist.gov/vuln/detail/CVE-2024-26318
serenity.is/docs/release-notes/6.8.0

Detect and mitigate CVE-2024-26318 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →