CVE-2022-23466

2022-12-0618:15:09

CWE-79

[email protected]

web.nvd.nist.gov

teler

real-time

intrusion detection

threat alert

xss

dom-based

cve-2022-23466

security vulnerability

upgrade

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.6%

JSON

teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version v2.0.0-rc.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

kitabisateler-wafRange0.0-rc–0.0-rc.4

kitabisateler-wafMatch0.0-dev

VendorProductVersionCPE
kitabisateler\-waf*cpe:2.3:a:kitabisa:teler\-waf:*:*:*:*:*:*:*:*
kitabisateler\-waf0.0-devcpe:2.3:a:kitabisa:teler\-waf:0.0-dev:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kitabisa	teler\-waf	*	cpe:2.3:a:kitabisa:teler\-waf::::::::
kitabisa	teler\-waf	0.0-dev	cpe:2.3:a:kitabisa:teler\-waf:0.0-dev:::::::*

CNA Affected

[
  {
    "vendor": "kitabisa",
    "product": "teler",
    "versions": [
      {
        "version": ">= v2.0.0-rc, < v2.0.0-rc.4",
        "status": "affected"
      },
      {
        "version": "= v2.0.0-dev",
        "status": "affected"
      }
    ]
  }
]