Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected Cross-Site Scripting (XSS) in scancode.io license endpoint
Vulnerability Description
ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
ScanCode 跨站脚本漏洞
Vulnerability Description
ScanCode是一个开源的工具,用于分析和扫描源代码中的开源许可证信息和潜在的知识产权问题。 ScanCode.io 32.5.1及之前版本存在跨站脚本漏洞,该漏洞源于/license/端点存在反射型跨站脚本(XSS)漏洞。
CVSS Information
N/A
Vulnerability Type
N/A