Lucene search

GitHub_MCVELIST:CVE-2022-23544

HistoryDec 27, 2022 - 11:57 p.m.

CVE-2022-23544 Server-Side Request Forgery in Metersphere leads to Cross-Site Scripting

2022-12-2723:57:42

CWE-918

CWE-79

GitHub_M

www.cve.org

metersphere

ssrf

cross-site scripting

security vulnerability

v2.5.0

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

44.5%

JSON

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere’s origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.5.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/metersphere/metersphere/commit/d0f95b50737c941b29d507a4cc3545f2dc6ab121

github.com/metersphere/metersphere/security/advisories/GHSA-vrv6-cg45-rmjj

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

44.5%

JSON

Related for CVELIST:CVE-2022-23544