{"id":"CVE-2023-42808","summary":"Common Voice Cross-site Scripting vulnerability","details":"Common Voice is the web app for Mozilla Common Voice, a platform for collecting speech donations in order to create public domain datasets for training voice recognition-related tools. Version 1.88.2 is vulnerable to reflected Cross-Site Scripting given that user-controlled data flows to a path expression (path of a network request). This issue may lead to reflected Cross-Site Scripting (XSS) in the context of Common Voice’s server origin. As of time of publication, it is unknown whether any patches or workarounds exist.","modified":"2026-04-10T05:04:47.382698Z","published":"2023-10-04T19:11:22.906Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42808.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/fetch-legal-document.ts#LL21-L62C2"},{"type":"WEB","url":"https://github.com/mozilla/common-voice/blob/9d6ffd755e29b81918b86b9f5218b9c27d9c1c1a/server/src/server.ts#L214"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42808.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42808"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2023-026_Common_Voice/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/common-voice/common-voice","events":[{"introduced":"0"},{"last_affected":"2ad1174b47556896c83f92ac307469b51da89671"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.88.2"}]}}],"versions":["4db8fb386","dev-v1.23.0-test-master","dev-v1.23.0-test-master-1","release-v1.26.0","release-v1.27.0","release-v1.27.1","release-v1.27.2","release-v1.28.0","release-v1.28.1-redirect-hotfix","release-v1.29.0","release-v1.30.0","release-v1.30.1-fxvoice-link","release-v1.30.2-null-clip-locales","release-v1.31.0","release-v1.32.0","release-v1.33.0","release-v1.33.1-rw-sentences","release-v1.34.1-ga-hash","release-v1.35.0","release-v1.35.1-lg-contributable","release-v1.35.2-rc1-lg-pontoon","release-v1.39.3","release-v1.39.4-rc1","release-v1.39.5","release-v1.40.0","release-v1.40.1","release-v1.41.0","release-v1.42.0","release-v1.43.0","release-v1.44.0","release-v1.46.0","release-v1.47.0","release-v1.47.1-cinchy-hotfix","release-v1.48.0","release-v1.56.0","release-v1.56.1","release-v1.56.2","release-v1.57.0","release-v1.58.0","release-v1.62.0","release-v1.63.0","release-v1.63.1","release-v1.64.0","release-v1.65.0","release-v1.65.1","release-v1.66.3","release-v1.67.3","release-v1.69.0","release-v1.69.1","release-v1.69.2","release-v1.70.0","release-v1.71.0","release-v1.72.1","release-v1.73.1","release-v1.73.2","release-v1.73.3","release-v1.73.4","release-v1.74.0","release-v1.74.1","release-v1.75.0","release-v1.75.1","release-v1.76.0","release-v1.76.1","release-v1.76.2","release-v1.77.0","release-v1.78.0","release-v1.79.0","release-v1.80.0","release-v1.81.0","release-v1.81.1","release-v1.81.2","release-v1.81.3","release-v1.82.1","release-v1.83.0","release-v1.84.0","release-v1.85.0","release-v1.86.0","release-v1.86.1","release-v1.86.2","release-v1.87.0","release-v1.87.1","release-v1.87.2","release-v1.88.0","release-v1.88.1","release-v1.88.2","sandbox-v0.0.1","sandbox-v0.0.2","sandbox-v0.0.3","sandbox-v0.0.4","sandbox-v0.0.5","stage-v1.23-k8s-stage","stage-v1.24.0-rc1","stage-v1.26.0-rc1","stage-v1.27.0-rc1","stage-v1.27.1-rc1","stage-v1.30.0-rc2","stage-v1.31.0-rc1","stage-v1.31.0-rc2","stage-v1.32.0-rc1","stage-v1.33.0-rc1","stage-v1.33.0-rc2","stage-v1.33.0-rc3","stage-v1.34.1-rc1","stage-v1.35.0-rc0-rs-metadata-test","stage-v1.35.0-rc1","stage-v1.35.0-rc2-lg-contributable","stage-v1.35.2-rc1-lg-pontoon","stage-v1.36.0-rc0-metadata-prerelease","stage-v1.37.0-rc1","stage-v1.37.0-rc2","stage-v1.39.3-rc1","stage-v1.39.5-rc1","stage-v1.40.0-rc1","stage-v1.41.0-rc1","stage-v1.41.0-rc3","stage-v1.42.0-rc1","stage-v1.43.0-rc1","stage-v1.44.0-rc1","stage-v1.45.0-rc1","stage-v1.46.0-rc1","stage-v1.47.0-rc1","stage-v1.47.0-rc2","stage-v1.48.0-rc1","stage-v1.49.0-rc1","stage-v1.49.0-rc2","stage-v1.54.1-rc2","stage-v1.56.0-rc1","stage-v1.56.1-rc1","stage-v1.56.1-rc2","stage-v1.57.0-rc1","stage-v1.58.0-rc1","stage-v1.58.0-rc2","stage-v1.62.0-rc1","stage-v1.63.0-rc1","stage-v1.63.1-rc1","stage-v1.64.0-rc2","stage-v1.65.0-rc1","stage-v1.65.0-rc2","stage-v1.65.0-rc3","staging-v0.0.1","staging-v0.0.2","staging-v0.0.3","staging-v1.23.0-master-test-1","staging-v1.23.0-master-test-2","staging-v1.23.0-ssm-fix","staging-v1.24.0-dataset-lang-switch","staging-v22.0-rc1","v1.22.0","v1.23.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42808.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/mozilla/common-voice","events":[{"introduced":"0"},{"last_affected":"2ad1174b47556896c83f92ac307469b51da89671"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.88.2"}]}}],"versions":["4db8fb386","dev-v1.23.0-test-master","dev-v1.23.0-test-master-1","release-v1.26.0","release-v1.27.0","release-v1.27.1","release-v1.27.2","release-v1.28.0","release-v1.28.1-redirect-hotfix","release-v1.29.0","release-v1.30.0","release-v1.30.1-fxvoice-link","release-v1.30.2-null-clip-locales","release-v1.31.0","release-v1.32.0","release-v1.33.0","release-v1.33.1-rw-sentences","release-v1.34.1-ga-hash","release-v1.35.0","release-v1.35.1-lg-contributable","release-v1.35.2-rc1-lg-pontoon","release-v1.39.3","release-v1.39.4-rc1","release-v1.39.5","release-v1.40.0","release-v1.40.1","release-v1.41.0","release-v1.42.0","release-v1.43.0","release-v1.44.0","release-v1.46.0","release-v1.47.0","release-v1.47.1-cinchy-hotfix","release-v1.48.0","release-v1.56.0","release-v1.56.1","release-v1.56.2","release-v1.57.0","release-v1.58.0","release-v1.62.0","release-v1.63.0","release-v1.63.1","release-v1.64.0","release-v1.65.0","release-v1.65.1","release-v1.66.3","release-v1.67.3","release-v1.69.0","release-v1.69.1","release-v1.69.2","release-v1.70.0","release-v1.71.0","release-v1.72.1","release-v1.73.1","release-v1.73.2","release-v1.73.3","release-v1.73.4","release-v1.74.0","release-v1.74.1","release-v1.75.0","release-v1.75.1","release-v1.76.0","release-v1.76.1","release-v1.76.2","release-v1.77.0","release-v1.78.0","release-v1.79.0","release-v1.80.0","release-v1.81.0","release-v1.81.1","release-v1.81.2","release-v1.81.3","release-v1.82.1","release-v1.83.0","release-v1.84.0","release-v1.85.0","release-v1.86.0","release-v1.86.1","release-v1.86.2","release-v1.87.0","release-v1.87.1","release-v1.87.2","release-v1.88.0","release-v1.88.1","release-v1.88.2","sandbox-v0.0.1","sandbox-v0.0.2","sandbox-v0.0.3","sandbox-v0.0.4","sandbox-v0.0.5","stage-v1.23-k8s-stage","stage-v1.24.0-rc1","stage-v1.26.0-rc1","stage-v1.27.0-rc1","stage-v1.27.1-rc1","stage-v1.30.0-rc2","stage-v1.31.0-rc1","stage-v1.31.0-rc2","stage-v1.32.0-rc1","stage-v1.33.0-rc1","stage-v1.33.0-rc2","stage-v1.33.0-rc3","stage-v1.34.1-rc1","stage-v1.35.0-rc0-rs-metadata-test","stage-v1.35.0-rc1","stage-v1.35.0-rc2-lg-contributable","stage-v1.35.2-rc1-lg-pontoon","stage-v1.36.0-rc0-metadata-prerelease","stage-v1.37.0-rc1","stage-v1.37.0-rc2","stage-v1.39.3-rc1","stage-v1.39.5-rc1","stage-v1.40.0-rc1","stage-v1.41.0-rc1","stage-v1.41.0-rc3","stage-v1.42.0-rc1","stage-v1.43.0-rc1","stage-v1.44.0-rc1","stage-v1.45.0-rc1","stage-v1.46.0-rc1","stage-v1.47.0-rc1","stage-v1.47.0-rc2","stage-v1.48.0-rc1","stage-v1.49.0-rc1","stage-v1.49.0-rc2","stage-v1.54.1-rc2","stage-v1.56.0-rc1","stage-v1.56.1-rc1","stage-v1.56.1-rc2","stage-v1.57.0-rc1","stage-v1.58.0-rc1","stage-v1.58.0-rc2","stage-v1.62.0-rc1","stage-v1.63.0-rc1","stage-v1.63.1-rc1","stage-v1.64.0-rc2","stage-v1.65.0-rc1","stage-v1.65.0-rc2","stage-v1.65.0-rc3","staging-v0.0.1","staging-v0.0.2","staging-v0.0.3","staging-v1.23.0-master-test-1","staging-v1.23.0-master-test-2","staging-v1.23.0-ssm-fix","staging-v1.24.0-dataset-lang-switch","staging-v22.0-rc1","v1.22.0","v1.23.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42808.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}