Lucene search

[email protected]CVE-2022-39301

HistoryOct 19, 2022 - 2:15 p.m.

CVE-2022-39301

2022-10-1914:15:09

CWE-80

CWE-434

[email protected]

web.nvd.nist.gov

sra-admin

background rights management

xss vulnerability

user info theft

security patch

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

0.001 Low

EPSS

Percentile

24.9%

JSON

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in “Personal Center” - “Profile Picture Upload” allowing theft of the user’s personal information. This issue has been patched in 1.1.2. There are no known workarounds.

Affected configurations

Vulners

NVD

Node

momofoolishsra_adminRange<1.1.2

CPENameOperatorVersion
sra-admin_project:sra-adminsra-admin project sra-adminle1.1.1

CPE	Name	Operator	Version
sra-admin_project:sra-admin	sra-admin project sra-admin	le	1.1.1

CNA Affected

[
  {
    "vendor": "momofoolish",
    "product": "sra-admin",
    "versions": [
      {
        "version": "< 1.1.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/momofoolish/sra-admin/security/advisories/GHSA-v7r9-qx74-h3v8

Social References