CVE-2023-32193: 
Wolfi vulnerability analysis and mitigation

A vulnerability has been identified in Norman's public API endpoint that allows unauthenticated cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2023-32193, was discovered in 2023 and affects multiple versions of the Norman API, including master branch (<=a182097), release/v2.8 (<=6024223), release/v2.7 (<=f4006b7), and release/v2.6 (<=18989f7) (GitHub Advisory).

The vulnerability is classified as a Reflected XSS attack where the Norman API propagates malicious payloads from user input to the UI, which then renders the output. For example, malicious URLs can be rendered into scripts that are executed on the page. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, indicating network attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability can lead to an attacker exploiting the system to trigger JavaScript code and execute commands remotely. This could result in high impact on both confidentiality and integrity of the system, with a low impact on availability. The attack can be executed without authentication, making it particularly dangerous (GitHub Advisory).

The vulnerability has been patched in multiple versions: master (>=3bb70b7), release/v2.8 (>=a6a6cf5), release/v2.7 (>=cb54924), release/v2.7.s3 (>=7b2b467), and release/v2.6 (>=bd13c65). The fix includes encoding input from the request URL before adding it to the response, using url.URL for link construction, and implementing JavaScript and CSS variable escaping with attribute encoding as defined by OWASP. There are no direct mitigation strategies besides updating Norman API to a patched version (GitHub Advisory).