Description
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
Patch, Third Party Advisory x_refsource_misc
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
Scores
CVSS v3
6.1
EPSS
0.0032
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
fava_project/fava
< 1.22
pypi/fava
0 - 1.22PyPI
Published
Jul 25, 2022
Tracked Since
Feb 18, 2026