CVE-2024-36109

CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows `<script>` tags to be included which execute when published. This issue has been addressed in commit `419862a9c9879c`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
GitHub_MCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Common Weakness Enumeration
References
https://github.com/sagemathinc/cocalc/commit/419862a9c9879c
https://github.com/sagemathinc/cocalc/security/advisories/GHSA-8w44-hggw-p5rf
https://github.com/sagemathinc/cocalc/commit/419862a9c9879c
https://github.com/sagemathinc/cocalc/security/advisories/GHSA-8w44-hggw-p5rf