CVE-2024-25712

Sažetak

http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files.

Reference

https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
https://github.com/swaggo/http-swagger/releases/tag/v1.2.6
https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
https://github.com/swaggo/http-swagger/releases/tag/v1.2.6

CVSS

Base:	6.1
Impact:	2.7
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

16-06-2025 - 19:15

Objavljeno

29-02-2024 - 01:44