CVE-2022-23544

2022-12-2800:15:13

CWE-918

CWE-79

[email protected]

web.nvd.nist.gov

metersphere

ssrf

xss

security

vulnerability

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

44.5%

JSON

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere’s origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.

Affected configurations

Vulners

NVD

Node

meterspheremetersphereRange<2.5.0

VendorProductVersionCPE
meterspheremetersphere*cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
metersphere	metersphere	*	cpe:2.3:a:metersphere:metersphere::::::::

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.5.0",
        "status": "affected"
      }
    ]
  }
]