MidnightBSD

Advisories for loomio

CVE-2017-11594 LOW

Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
loomio loomio 1.2.0
loomio loomio 1.3.0
loomio loomio 1.6.0
loomio loomio 1.1.0
loomio loomio 1.4.0
loomio loomio 1.5.0
loomio loomio 1.7.0
loomio loomio 1.0.0
CVE-2024-1297

Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
help@fluidattacks.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

Products Affected

Vendor Product Version
loomio loomio 2.22.0