Upstream information

CVE-2022-35133 at MITRE

Description

A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 6.1
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1202513 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP4
  • cherrytree >= 0.99.49+3-bp154.2.3.2
  • cherrytree-lang >= 0.99.49+3-bp154.2.3.2
Patchnames:
openSUSE-2022-10230
openSUSE Leap 15.4
  • cherrytree >= 0.99.49+3-bp154.2.3.2
  • cherrytree-lang >= 0.99.49+3-bp154.2.3.2
Patchnames:
openSUSE-2022-10230
openSUSE Tumbleweed
  • cherrytree >= 0.99.49+3-1.1
  • cherrytree-lang >= 0.99.49+3-1.1
Patchnames:
openSUSE Tumbleweed GA cherrytree-0.99.49+3-1.1


SUSE Timeline for this CVE

CVE page created: Thu Aug 18 02:00:14 2022
CVE page last modified: Sun Dec 4 18:21:47 2022