CVE-2023-40024

MEDIUM

scancode.io < 32.5.2 - Cross-Site Scripting in License Details View

Title source: llm

Description

ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj

Release Notes x_refsource_misc

https://github.com/nexB/scancode.io/blob/dd7769fbc97c84545579cebf1dc4838214098a11/CHANGELOG.rst#v3252-2023-08-14

View Writeup ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0044

EPSS Percentile 35.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

nexb/scancode.io < 32.5.1

pypi/scancodeio 0 - 32.5.2PyPI

Published Aug 14, 2023

Tracked Since Feb 18, 2026