caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting
Moderate severity
GitHub Reviewed
Published
Feb 13, 2024
to the GitHub Advisory Database
•
Updated Oct 16, 2024
Package
Affected versions
<= 1.1.20
Patched versions
None
Description
Published by the National Vulnerability Database
Feb 12, 2024
Published to the GitHub Advisory Database
Feb 13, 2024
Reviewed
Feb 13, 2024
Last updated
Oct 16, 2024
The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring.
References