Vulnerabilites related to loomio - loomio
Vulnerability from fkie_nvd
Published
2017-07-24 01:29
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/loomio/loomio/issues/4220 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/loomio/loomio/releases/tag/1.8.0 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/loomio/loomio/issues/4220 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/loomio/loomio/releases/tag/1.8.0 | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:loomio:loomio:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "879FCC51-7D95-4080-B3FF-4647ABEAE75E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "98FC47CF-01B0-46D8-ADBA-B84D6A85BA93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8121C3F3-FCDF-4120-B8C1-85152C49DCEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0CC75F6A-F937-4A89-A856-7D188C13E3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "58F7EBC8-9BFB-4FC1-B14F-E5B2BDAEB092",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99D2A210-C4C6-450B-A815-86D8FDF24EF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D56939EC-D022-4120-BA1E-A3C008A4398A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:loomio:loomio:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DEC9D29-4D87-45E1-BF4E-5D59BDC17FEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site-scripting (XSS) en el analizador Markdown en Loomio anterior a la versi\u00f3n 1.8.0, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de contenido Markdown no saneado en un nuevo hilo (subproceso) o un comentario de hilo (subproceso)."
}
],
"id": "CVE-2017-11594",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-24T01:29:00.740",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/issues/4220"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/releases/tag/1.8.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/issues/4220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/loomio/loomio/releases/tag/1.8.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 00:15
Modified
2025-09-30 19:15
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Loomio version 2.22.0 allows executing arbitrary commands on the server.
This is possible because the application is vulnerable to OS Command Injection.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:loomio:loomio:2.22.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CC64D586-302C-482F-B1D2-E862F244ECFE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Loomio version 2.22.0 allows executing arbitrary commands on the server.\n\nThis is possible because the application is vulnerable to OS Command Injection."
},
{
"lang": "es",
"value": "La versi\u00f3n 2.22.0 de Loomio permite ejecutar comandos arbitrarios en el servidor. Esto es posible porque la aplicaci\u00f3n es vulnerable a la inyecci\u00f3n de comandos del sistema operativo."
}
],
"id": "CVE-2024-1297",
"lastModified": "2025-09-30T19:15:34.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "help@fluidattacks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-20T00:15:14.463",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://fluidattacks.com/advisories/stones"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/loomio/loomio"
},
{
"source": "help@fluidattacks.com",
"url": "https://github.com/loomio/loomio/commit/6bc5429bfb5a9c7c811a4487d97ea54a8b23a0fa#diff-b9a7e6b3dfb0fd855c11198a7c53e6f6f90945f28c78cc5dbd960d04d5d28203"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://fluidattacks.com/advisories/stones"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/loomio/loomio"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "help@fluidattacks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2017-11594 (GCVE-0-2017-11594)
Vulnerability from cvelistv5
Published
2017-07-24 01:00
Modified
2024-08-05 18:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/loomio/loomio/issues/4220 | x_refsource_CONFIRM | |
| https://github.com/loomio/loomio/releases/tag/1.8.0 | x_refsource_CONFIRM | |
| https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:40.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/loomio/loomio/issues/4220"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/loomio/loomio/releases/tag/1.8.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-24T01:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/loomio/loomio/issues/4220"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/loomio/loomio/releases/tag/1.8.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11594",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new thread or a thread comment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/loomio/loomio/issues/4220",
"refsource": "CONFIRM",
"url": "https://github.com/loomio/loomio/issues/4220"
},
{
"name": "https://github.com/loomio/loomio/releases/tag/1.8.0",
"refsource": "CONFIRM",
"url": "https://github.com/loomio/loomio/releases/tag/1.8.0"
},
{
"name": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe",
"refsource": "CONFIRM",
"url": "https://github.com/loomio/loomio/commit/63973f71e337ead8ca7b7ae2a043b837032dc3fe"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11594",
"datePublished": "2017-07-24T01:00:00",
"dateReserved": "2017-07-23T00:00:00",
"dateUpdated": "2024-08-05T18:12:40.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1297 (GCVE-0-2024-1297)
Vulnerability from cvelistv5
Published
2024-02-19 23:41
Modified
2025-09-30 19:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Loomio version 2.22.0 allows executing arbitrary commands on the server.
This is possible because the application is vulnerable to OS Command Injection.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/loomio/loomio"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/stones"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:loomio:loomio:2.22.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loomio",
"vendor": "loomio",
"versions": [
{
"status": "affected",
"version": "2.22.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1297",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T19:46:03.187612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T19:46:53.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Loomio",
"vendor": "Loomio",
"versions": [
{
"status": "affected",
"version": "2.22.0"
}
]
}
],
"datePublic": "2024-02-19T23:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eLoomio version 2.22.0 allows executing arbitrary commands on the server.\u003c/div\u003e\u003cdiv\u003eThis is possible because the application is vulnerable to OS Command Injection.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Loomio version 2.22.0 allows executing arbitrary commands on the server.\n\nThis is possible because the application is vulnerable to OS Command Injection."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T19:10:07.621Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/loomio/loomio"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/stones"
},
{
"tags": [
"patch"
],
"url": "https://github.com/loomio/loomio/commit/6bc5429bfb5a9c7c811a4487d97ea54a8b23a0fa#diff-b9a7e6b3dfb0fd855c11198a7c53e6f6f90945f28c78cc5dbd960d04d5d28203"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Loomio 2.22.0 - Code injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1297",
"datePublished": "2024-02-19T23:41:47.207Z",
"dateReserved": "2024-02-06T21:45:03.994Z",
"dateUpdated": "2025-09-30T19:10:07.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}