CVE-2022-42466

2022-10-1908:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-42466

security

vulnerability

escaped strings

javascript execution

domain object

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

58.5%

JSON

Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.

Affected configurations

Vulners

NVD

Node

apacheisisRange≤2.0.0-M9

CPENameOperatorVersion
apache:isisapache isislt2.0.0

CPE	Name	Operator	Version
apache:isis	apache isis	lt	2.0.0

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Isis",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.0.0-M9",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]