Lucene search

MendCVELIST:CVE-2022-23054

HistoryFeb 20, 2022 - 7:00 p.m.

CVE-2022-23054 Openmct XSS via the “Summary Widget”

2022-02-2019:00:17

CWE-79

Mend

www.cve.org

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON

Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.

CNA Affected

[
  {
    "product": "openmct ",
    "vendor": "nasa",
    "versions": [
      {
        "lessThanOrEqual": "1.7.7",
        "status": "affected",
        "version": "1.7.7",
        "versionType": "custom"
      },
      {
        "lessThan": "1.3.0*",
        "status": "affected",
        "version": "1.3.0",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON

Related for CVELIST:CVE-2022-23054