References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79

OR
          *cpe:2.3:a:openziti:openziti:*:*:*:*:*:*:*:* versions from (excluding) 3.7.1

GitHub, Inc.: https://github.com/openziti/ziti-console/security/advisories/GHSA-frxm-vm48-5qf2 Types: Third Party Advisory

OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no longer necessary as the ziti-console moves from a node server application to a single page application, and has been disabled. The vulnerability is fixed in 3.7.1.

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-79

https://github.com/openziti/ziti-console/security/advisories/GHSA-frxm-vm48-5qf2