6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29014

GHSA ID

GHSA-7v7g-9vx6-vcg2

EPSS Score

0.70209%

CWE

CWE-79

Published

4/7/2023

Updated

4/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29014

CVE-2023-29014: Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

Impact

A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser.

Patches

The vulnerability has been fixed in version 23.03

Credits

We would like to thank RUS-CERT for reporting this issues.

If you have any questions or comments about this advisory:

Email us at support@intranda.com

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29014

GHSA ID

GHSA-7v7g-9vx6-vcg2

EPSS Score

0.70209%

CWE

CWE-79

Published

4/7/2023

Updated

4/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.goobi.viewer:viewer-core	maven	< 23.03	23.03

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient input validation in the setLogid method. The patch introduced a regex check ([\w-]+) and exception handling, indicating prior lack of XSS-safe validation. The function directly processes user-controlled LOGID parameter and was vulnerable to script injection before proper sanitization was added. SolrTools.escapeSpecialCharacters() alone doesn't prevent HTML/JS context XSS, making this the clear injection point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r**l**t** *ross-sit* s*riptin* vuln*r**ility **s ***n i**nti*i** in *oo*i vi*w*r *or* w**n *v*lu*tin* t** LO*I* p*r*m*t*r. *n *tt**k*r *oul* tri*k * us*r into *ollowin* * sp**i*lly *r**t** link to * *oo*i vi*w*r inst*ll*tion, r*sultin* i

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in t** s*tLo*i* m*t*o*. T** p*t** intro*u*** * r***x ****k ([\w-]+) *n* *x**ption **n*lin*, in*i**tin* prior l**k o* XSS-s*** v*li**tion. T** *un*tion *ir**tly pro**ss*s us*r-*ontroll** LO*I*

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-29014: Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

Impact

Patches

Credits

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI