CVE-2024-36110 — ansibleguy-webui Cross-site Scripting vulnerability

Description

### Impact Multiple forms in version <0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. ### Patches We recommend to upgrade to version >= [0.0.21](https://github.com/ansibleguy/webui/releases/tag/0.0.21) ### References * [Report](https://github.com/ansibleguy/webui/files/15358522/Report.pdf) * [GitHub Issue 44](https://github.com/ansibleguy/webui/issues/44)

How to fix CVE-2024-36110

To remediate CVE-2024-36110, upgrade the affected package to a fixed version below.

—upgrade to 0.0.21 or later

Is CVE-2024-36110 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.0.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-36110
PATCHgithub.com/ansibleguy/webui
WEBgithub.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522
WEBgithub.com/ansibleguy/webui/files/15358522/Report.pdf
WEB