#VU81307 Input validation error in Postcss


Published: 2023-10-02

Vulnerability identifier: #VU81307

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-44270

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Postcss
/

Vendor: Postcss

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of external CSS files when parsing the "\r" character. A remote attacker can pass specially crafted input to the application and perform spoofing attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Postcss: 8.0.0 - 8.4.30

External links
http://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
http://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
http://github.com/postcss/postcss/releases/tag/8.4.31

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar Suite software
Multiple vulnerabilities in IBM Analyst Workflow
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Input validation error in IBM Business Automation Workflow
Input validation error in IBM Edge Data Collector
Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Multiple vulnerabilities in IBM QRadar Use Case Manager
Input validation error in IBM Event Processing
Multiple vulnerabilities in IBM QRadar User Behavior Analytics