There are 3 open security issues in bullseye.
3 issues left for the package maintainer to handle:
- CVE-2022-2514:
(needs triaging)
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
- CVE-2022-2523:
(needs triaging)
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.
- CVE-2022-2589:
(needs triaging)
Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.3.
You can find information about how to handle these issues in the security team's documentation.