#VU88804 Cross-site scripting in aiohttp


Vulnerability identifier: #VU88804

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27306

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
aiohttp
Other software / Other software solutions

Vendor: aio-libs

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the web.static(..., show_index=True) method in index pages for static file handling. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

aiohttp: 0.1 - 3.9.3

External links
http://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for python-aiohttp
Multiple vulnerabilities in IBM QRadar Suite Software
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Multiple vulnerabilities in Ansible Automation Platform 2.4 packages
Fedora EPEL 9 update for python-aiohttp
Fedora 38 update for python-aiohttp
Fedora 39 update for python-aiohttp
Fedora 40 update for python-aiohttp, python-openapi-core
Cross-site scripting in aiohttp