{"api_version":"1","generated_at":"2026-04-22T23:23:54+00:00","cve":"CVE-2023-25827","urls":{"html":"https://cve.report/CVE-2023-25827","api":"https://cve.report/api/cve/CVE-2023-25827.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25827","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25827"},"summary":{"title":"CVE-2023-25827","description":"Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.","state":"PUBLIC","assigner":"disclosure@synopsys.com","published_at":"2023-05-03 19:15:00","updated_at":"2023-05-10 20:10:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/OpenTSDB/opentsdb/pull/2274","name":"https://github.com/OpenTSDB/opentsdb/pull/2274","refsource":"MISC","tags":[],"title":"Fix for #2269 and #2267 XSS vulnerability. by manolama · Pull Request #2274 · OpenTSDB/opentsdb · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.synopsys.com/blogs/software-security/opentsdb/","name":"https://www.synopsys.com/blogs/software-security/opentsdb/","refsource":"MISC","tags":[],"title":"CyRC Vulnerability Advisory: CVE-2023-25826 and CVE-2023-25827 in OpenTSDB | Synopsys","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25827","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25827","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25827","vulnerable":"1","versionEndIncluding":"2.4.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"opentsdb","cpe5":"opentsdb","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-25827","ASSIGNER":"disclosure@synopsys.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"\nDue to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","cweId":"CWE-79"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"OpenTSDB","product":{"product_data":[{"product_name":"OpenTSDB","version":{"version_data":[{"version_affected":"<=","version_name":"0","version_value":"2.4.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.synopsys.com/blogs/software-security/opentsdb/","refsource":"MISC","name":"https://www.synopsys.com/blogs/software-security/opentsdb/"},{"url":"https://github.com/OpenTSDB/opentsdb/pull/2274","refsource":"MISC","name":"https://github.com/OpenTSDB/opentsdb/pull/2274"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-05-03 19:15:00","lastModifiedDate":"2023-05-10 20:10:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:opentsdb:opentsdb:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndIncluding":"2.4.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}