CVE-2023-29014

MEDIUM

Goobi viewer core < 23.03 - Reflected Cross-Site Scripting via LOGID Parameter

Title source: llm

Description

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2

Patch x_refsource_misc

https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0044

EPSS Percentile 35.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

intranda/goobi_viewer_core < 23.03

io.goobi.viewer/viewer-core 0 - 23.03Maven

Published Apr 06, 2023

Tracked Since Feb 18, 2026