Lucene search

INCIBECVELIST:CVE-2022-47373

HistoryFeb 15, 2023 - 12:00 a.m.

CVE-2022-47373 Reflected Cross Site Scripting in Search Functionality of Module Library

2023-02-1500:00:00

CWE-352

INCIBE

www.cve.org

cve-2022-47373

reflection

cross site scripting

search functionality

module library

pandora fms console v766

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0005 Low

EPSS

Percentile

16.4%

JSON

Reflected Cross Site Scripting in Search Functionality of Module Library in Pandora FMS Console v766 and lower. This vulnerability arises on the forget password functionality in which parameter username does not proper input validation/sanitization thus results in executing malicious JavaScript payload.

CNA Affected

[
  {
    "vendor": "Artica PFMS",
    "product": "Pandora FMS",
    "versions": [
      {
        "version": "v766",
        "status": "affected",
        "lessThanOrEqual": "v766",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "all"
    ]
  }
]

References

github.com/Argonx21/CVE-2022-47373

pandorafms.com/en/security/common-vulnerabilities-and-exposures/

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0005 Low

EPSS

Percentile

16.4%

JSON

Related for CVELIST:CVE-2022-47373