Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| loomio | loomio | 1.2.0 |
| loomio | loomio | 1.3.0 |
| loomio | loomio | 1.6.0 |
| loomio | loomio | 1.1.0 |
| loomio | loomio | 1.4.0 |
| loomio | loomio | 1.5.0 |
| loomio | loomio | 1.7.0 |
| loomio | loomio | 1.0.0 |
Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| help@fluidattacks.com | 10.0 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 3.9 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| loomio | loomio | 2.22.0 |