{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3d8d9fe28c22aa21fd32dd96aeefbc4957567605" } ], "repo": "https://github.com/shirasagi/shirasagi", "type": "GIT" } ] } ], "aliases": [ "GHSA-xr45-c2jv-2v9r" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-176" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41889.json" }, "details": "SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. This issue has been fixed in version 1.18.0.\n", "id": "CVE-2023-41889", "modified": "2026-04-01T23:10:38.743905884Z", "published": "2023-09-15T20:09:27.714Z", "references": [ { "type": "WEB", "url": "https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72" }, { "type": "WEB", "url": "https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41889.json" }, { "type": "ADVISORY", "url": "https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41889" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Late-Unicode normalization vulnerability in SHIRASAGI" }