Lucene search

SuseCVELIST:CVE-2022-21948

HistoryFeb 07, 2023 - 12:00 a.m.

CVE-2022-21948 paste: XSS on the image upload function

2023-02-0700:00:00

CWE-79

suse

www.cve.org

cve-2022-21948; cross-site scripting; opensuse; svg files; image upload

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

50.3%

JSON

An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions.

CNA Affected

[
  {
    "vendor": "openSUSE",
    "product": "paste",
    "versions": [
      {
        "version": "paste",
        "status": "affected",
        "lessThanOrEqual": "b57b9f87e303a3db9465776e657378e96845493b",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=1197930

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

50.3%

JSON

Related for CVELIST:CVE-2022-21948