CVE-2022-2514: Fava time and filter parameters vulnerable to reflected Cross-site Scripting
(updated )
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected cross-site scripting due to the lack of escaping of error messages which contained the parameters in verbatim.
References
- github.com/advisories/GHSA-xrf4-39fm-j5f2
- github.com/beancount/fava
- github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
- github.com/pypa/advisory-database/tree/main/vulns/fava/PYSEC-2022-239.yaml
- huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
- nvd.nist.gov/vuln/detail/CVE-2022-2514
Detect and mitigate CVE-2022-2514 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →