How severe is CVE-2024-37166?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.9 out of 10.

What type of vulnerability is CVE-2024-37166?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2024-37166 - HIGH Severity | CVSS 8.9

Vulnerability Description

ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities. Additionally, the backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either.

Related Vulnerabilities

CVE-2020-24897

HIGH

CVSS:8.9(High)

The Table Filter and Charts for Confluence Server app before 5.3.25 (for Atlassian Confluence) allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) through the ...

CWE-792020

CVE-2020-26280

HIGH

CVSS:8.9(High)

OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input valida...

CWE-792020

CVE-2020-8773

HIGH

CVSS:8.9(High)

The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability.

CWE-792020

CVE-2020-8775

HIGH

CVSS:8.9(High)

Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.

CWE-792020

CVE-2022-39824

HIGH

CVSS:8.9(High)

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perfo...

CWE-792022

CVE-2022-4975

HIGH

CVSS:8.9(High)

A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end genera...

CWE-792022