Input validation error in Postcss

#VU81307 Input validation error in Postcss

Cybersecurity Help s.r.o.

Published: 2023-10-02

Vulnerability identifier: #VU81307

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-44270

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Postcss
/

Vendor: Postcss

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of external CSS files when parsing the "\r" character. A remote attacker can pass specially crafted input to the application and perform spoofing attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Postcss: 8.0.0 - 8.4.30

External links
http://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
http://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
http://github.com/postcss/postcss/releases/tag/8.4.31

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data

Multiple vulnerabilities in IBM QRadar Suite software

Multiple vulnerabilities in IBM Analyst Workflow

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Input validation error in IBM Business Automation Workflow

Input validation error in IBM Edge Data Collector

Multiple vulnerabilities in IBM Cloud Pak for Network Automation

Multiple vulnerabilities in IBM QRadar Use Case Manager

Input validation error in IBM Event Processing

Multiple vulnerabilities in IBM QRadar User Behavior Analytics