VDB
CVE-2019-13122
CVE-2019-13122
PUBLISHED
CVSS 4.300000190734863 MEDIUM
A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids in Patchwork v1.1 through v2.1.x. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix.
EPSS 0.75% · 73.4th percentile
Risk Scores
CVSS v2.0
4.300000190734863
EPSS Score
0.75%
73.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| ozlabs | patchwork | 1.1, 2.1.0, 2.1.0 |
Timeline
- Jul 10, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://github.com/getpatchwork/patchwork/releases url
- https://github.com/getpatchwork/patchwork/commits/master url
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.html url
- http://jk.ozlabs.org/projects/patchwork/ url
- [oss-security] 20190705 CVE-2019-13122: Patchwork: XSS via Message-ID mailing-list
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html url
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.html url
- https://nvd.nist.gov/vuln/detail/CVE-2019-13122 advisory
- http://jk.ozlabs.org/projects/patchwork url