Lucene search

GitHub_MCVELIST:CVE-2022-23637

HistoryFeb 14, 2022 - 8:45 p.m.

CVE-2022-23637 Stored Cross-Site-Scripting (XSS) in Markdown Editor

2022-02-1420:45:11

CWE-79

GitHub_M

www.cve.org

cve-2022-23637

stored cross-site-scripting

markdown editor

k-box

version 0.33.1

vulnerability

untrusted javascript actions

unsafe links

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.4%

JSON

K-Box is a web-based application to manage documents, images, videos and geodata. Prior to version 0.33.1, a stored Cross-Site-Scripting (XSS) vulnerability is present in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies. Version 0.33.1 includes a patch that allows discarding unsafe links.

CNA Affected

[
  {
    "product": "k-box",
    "vendor": "k-box",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.33.1"
      }
    ]
  }
]

References

github.com/k-box/k-box/commit/3bb4df9a4d01aade5bffaa603a514d1a5fabd214

github.com/k-box/k-box/security/advisories/GHSA-wwcw-h4mf-mvxf

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for CVELIST:CVE-2022-23637