CVE-2019-20008

Description

In Archery before 1.3, inserting an XSS payload into a project name (either by creating a new project or editing an existing one) will result in stored XSS on the vulnerability-scan scheduling page.

How to fix CVE-2019-20008

To remediate CVE-2019-20008, upgrade the affected package to a fixed version below.

• PyPI/pyarchery—upgrade to 1.3.0 or later

Is CVE-2019-20008 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.3.0

References (3)

• REPORTgithub.com/archerysec/archerysec/issues/338
• WEBgithub.com/archerysec/archerysec/compare/archerysec-v1.2...v1.3
• WEBgithub.com/archerysec/archerysec/releases/tag/v1.3