NuGet package
serenity.net.core
pkg:nuget/serenity.net.core
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-26318 | — | < 6.8.0 | 6.8.0 | Feb 19, 2024 | Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character. | ||
| CVE-2023-31287 | — | < 6.7.0 | 6.7.0 | Apr 27, 2023 | An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the passwor | ||
| CVE-2023-31286 | — | < 6.7.0 | 6.7.0 | Apr 27, 2023 | An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist. | ||
| CVE-2023-31285 | — | < 6.7.0 | 6.7.0 | Apr 27, 2023 | An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administra |
- CVE-2024-26318Feb 19, 2024affected < 6.8.0fixed 6.8.0
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
- CVE-2023-31287Apr 27, 2023affected < 6.7.0fixed 6.7.0
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the passwor
- CVE-2023-31286Apr 27, 2023affected < 6.7.0fixed 6.7.0
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.
- CVE-2023-31285Apr 27, 2023affected < 6.7.0fixed 6.7.0
An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administra