Lucene search

[email protected]CVE-2022-42466

HistoryOct 19, 2022 - 8:15 a.m.

CVE-2022-42466

2022-10-1908:15:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-42466

security

vulnerability

escaped strings

javascript execution

domain object

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

58.2%

JSON

Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.

CPENameOperatorVersion
apache:isisapache isislt2.0.0

CPE	Name	Operator	Version
apache:isis	apache isis	lt	2.0.0

References

www.openwall.com/lists/oss-security/2022/10/19/2

lists.apache.org/thread/83ftj5jgtv3mbm28w3trjyvd591jztrz

Social References

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

58.2%

JSON

Related for CVE-2022-42466

veracode1 cnvd1 prion1 github1 cvelist1 osv2