Description
Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jhpyle/docassemble/security/advisories/GHSA-pcfx-g2j2-f6f6
Scores
CVSS v3
6.1
EPSS
0.0021
EPSS Percentile
42.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
jhpyle/docassemble
< 1.4.97
pypi/docassemble.webapp
0 - 1.4.97PyPI
Published
Mar 21, 2024
Tracked Since
Feb 18, 2026