cesium icon indicating copy to clipboard operation
cesium copied to clipboard
verified publisher icon CesiumGS

CVE-2023-48094 - XSS Vulnerability

Open juburr opened this issue 2 years ago • 3 comments

As of last night, Cesium is now being flagged by Dependabot.

A cross-site scripting (XSS) vulnerability in CesiumJS v1.111 allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to /container_files/public_html/doc/index.html.

image

juburr avatar Nov 21 '23 14:11 juburr

Hi @juburr, thanks for the heads up. We're looking into this. The file mentioned /container_files/public_html/doc/index.html appears to be erroneous, but we are confirming.

ggetz avatar Nov 22 '23 18:11 ggetz

The CVE in question has been modified with our position and is currently awaiting re-analysis.

ggetz avatar Dec 07 '23 15:12 ggetz

The vulnerability has been withdrawn from Dependabot. Ref: https://github.com/github/advisory-database/pull/3084

juburr avatar Dec 20 '23 01:12 juburr