Lucene search

MitreCVE-2022-26155

HistoryFeb 28, 2022 - 4:15 p.m.

CVE-2022-26155

2022-02-2816:15:08

CWE-79

mitre

web.nvd.nist.gov

cve-2022-26155

xss

cherwell service management

csm

samlresponse

http request

security vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.5%

JSON

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. XSS can occur via a payload in the SAMLResponse parameter of the HTTP request body.

Affected configurations

Nvd

Node

cherwellcherwell_service_managementMatch10.2.3

VendorProductVersionCPE
cherwellcherwell_service_management10.2.3cpe:2.3:a:cherwell:cherwell_service_management:10.2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cherwell	cherwell_service_management	10.2.3	cpe:2.3:a:cherwell:cherwell_service_management:10.2.3:::::::*

References

github.com/l00neyhacker/CVE-2022-26155

help.cherwell.com/bundle/release_notes_10_4_help_only/page/content/release_notes/10_4_0_fix_list.html

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.5%

JSON

Related for CVE-2022-26155