CVE-2023-49277

HIGH

dpaste < 3.8 - Reflected Cross-Site Scripting via Expires Parameter

Title source: llm

Description

dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. No known workarounds have been identified, and applying the patch is the most effective way to remediate the vulnerability.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/DarrenOfficial/dpaste/security/advisories/GHSA-r8j9-5cj7-cv39

Patch x_refsource_misc

https://github.com/DarrenOfficial/dpaste/commit/44a666a79b3b29ed4f340600bfcf55113bfb7086

View Patch ZIP pw:eip

Scores

CVSS v3 8.3

EPSS 0.0049

EPSS Percentile 65.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

darrennathanael/dpaste < 3.8

pypi/Dpaste 0 - 3.8PyPI

Published Dec 01, 2023

Tracked Since Feb 18, 2026