Search criteria
5 vulnerabilities by intranda
CVE-2026-45083 (GCVE-0-2026-45083)
Vulnerability from cvelistv5 – Published: 2026-05-27 21:00 – Updated: 2026-05-27 21:00
VLAI
Title
Goobi viewer: Unauthenticated Solr Streaming Expression Proxy
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
Severity
9.8 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
>= 4.8.0, < 26.04.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.8.0, \u003c 26.04.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T21:00:52.103Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f-4499"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f615934ca68ebbd"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38e8bf46acac705"
}
],
"source": {
"advisory": "GHSA-2rgp-f66f-4499",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer: Unauthenticated Solr Streaming Expression Proxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45083",
"datePublished": "2026-05-27T21:00:52.103Z",
"dateReserved": "2026-05-08T18:45:10.097Z",
"dateUpdated": "2026-05-27T21:00:52.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-29016 (GCVE-0-2023-29016)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.349Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:27.122227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:32.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when using nicknames. An attacker could create a user account and enter malicious scripts into their profile\u0027s nickname, resulting in the execution in the user\u0027s browser when displaying the nickname on certain pages. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:26.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2r9r-8fcg-m38g"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/8eadb32b3fdcb775678b74d95bc3df018a5d5238"
}
],
"source": {
"advisory": "GHSA-2r9r-8fcg-m38g",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29016",
"datePublished": "2023-04-06T19:03:26.948Z",
"dateReserved": "2023-03-29T17:39:16.144Z",
"dateUpdated": "2025-02-10T16:11:32.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29015 (GCVE-0-2023-29015)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:11
VLAI
Title
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:11:53.838013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:11:59.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user\u0027s browser when displaying the comment. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:23.713Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-622w-995c-3c3h"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/f0ccde2d469efd9597c3062d00177a63341f2256"
}
],
"source": {
"advisory": "GHSA-622w-995c-3c3h",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29015",
"datePublished": "2023-04-06T19:03:23.713Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:11:59.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29014 (GCVE-0-2023-29014)
Vulnerability from cvelistv5 – Published: 2023-04-06 19:03 – Updated: 2025-02-10 16:12
VLAI
Title
Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter
Summary
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. The vulnerability has been fixed in version 23.03.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 23.03
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:12:19.552877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:12:23.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 23.03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A reflected cross-site scripting vulnerability has been identified in Goobi viewer core prior to version 23.03 when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user\u0027s browser. The vulnerability has been fixed in version 23.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-06T19:03:19.967Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7v7g-9vx6-vcg2"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/c29efe60e745a94d03debc17681c4950f3917455"
}
],
"source": {
"advisory": "GHSA-7v7g-9vx6-vcg2",
"discovery": "UNKNOWN"
},
"title": "Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29014",
"datePublished": "2023-04-06T19:03:19.967Z",
"dateReserved": "2023-03-29T17:39:16.143Z",
"dateUpdated": "2025-02-10T16:12:23.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15124 (GCVE-0-2020-15124)
Vulnerability from cvelistv5 – Published: 2020-07-22 17:35 – Updated: 2024-08-04 13:08
VLAI
Title
Path traversal in Goobi viewer Core
Summary
In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3
Severity
9.6 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/intranda/goobi-viewer-core/sec… | x_refsource_CONFIRM |
| https://github.com/intranda/goobi-viewer-core/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| intranda | goobi-viewer-core |
Affected:
< 4.8.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "goobi-viewer-core",
"vendor": "intranda",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-22T17:35:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
],
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
},
"title": "Path traversal in Goobi viewer Core",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15124",
"STATE": "PUBLIC",
"TITLE": "Path traversal in Goobi viewer Core"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "goobi-viewer-core",
"version": {
"version_data": [
{
"version_value": "\u003c 4.8.3"
}
]
}
}
]
},
"vendor_name": "intranda"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Goobi Viewer Core before version 4.8.3, a path traversal vulnerability allows for remote attackers to access files on the server via the application. This is limited to files accessible to the application server user, eg. tomcat, but can potentially lead to the disclosure of sensitive information. The vulnerability has been fixed in version 4.8.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63",
"refsource": "CONFIRM",
"url": "https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-7gwq-xqw3-cr63"
},
{
"name": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3",
"refsource": "MISC",
"url": "https://github.com/intranda/goobi-viewer-core/commit/44ceb8e2e7e888391e8a941127171d6366770df3"
}
]
},
"source": {
"advisory": "GHSA-7gwq-xqw3-cr63",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15124",
"datePublished": "2020-07-22T17:35:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}