CVE-2023-44270
ADVISORY - githubSummary
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.
EPSS Score: 0.00112 (0.305)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADVISORY - github
ADVISORY - gitlab
ADVISORY - redhat
Improper Neutralization of CRLF Sequences ('CRLF Injection')
NIST
CREATED
UPDATED
ADVISORY IDCVE-2023-44270
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumGitHub
CVSS SCORE
5.3mediumDebian
CREATED
UPDATED
ADVISORY IDCVE-2023-44270
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2023-44270
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
5.3mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2023-44270
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)