MidnightBSD

Advisories for publify_project

CVE-2014-3211 MEDIUM

Publify before 8.0.1 is vulnerable to a Denial of Service attack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2021-25973 MEDIUM

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
vulnerabilitylab@mend.io 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-669,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2021-25974 LOW

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
vulnerabilitylab@mend.io 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2021-25975 LOW

In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
vulnerabilitylab@mend.io 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-0524 MEDIUM

Business Logic Errors in GitHub repository publify/publify prior to 9.2.7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-840,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-0574 MEDIUM

Improper Access Control in GitHub repository publify/publify prior to 9.2.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-863,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-0578 MEDIUM

Code Injection in GitHub repository publify/publify prior to 9.2.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,NVD-CWE-Other,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-1553 MEDIUM

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-863,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-1810 MEDIUM

Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,CWE-639,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-1811 LOW

Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-1812

Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10.

Products Affected

Vendor Product Version
publify_project publify *
CVE-2022-2815

Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.

Products Affected

Vendor Product Version
publify_project publify *
CVE-2023-0299

Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.

Products Affected

Vendor Product Version
publify_project publify *
CVE-2023-0569

Weak Password Requirements in GitHub repository publify/publify prior to 9.2.10.

Products Affected

Vendor Product Version
publify_project publify *