Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-site Scripting with user-uploaded files in dhis2-core
Vulnerability Description
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
DHIS 2 跨站脚本漏洞
Vulnerability Description
DHIS 2是一个应用软件。一个灵活的信息系统,用于数据捕获、管理、验证、分析和可视化。 DHIS 2 core 2.35、2.36、2.37、2.38、2.39版本存在跨站脚本漏洞,该漏洞源于通过 DHIS2 的各种功能,经过身份验证的用户可以上传包含嵌入式 javascript 的文件,攻击者利用该漏洞可能会诱骗另一个经过身份验证的用户在浏览器中打开恶意文件,这会触发 javascript 代码,从而导致跨站脚本 (XSS) 攻击。
CVSS Information
N/A
Vulnerability Type
N/A