Lucene search

GitHub Advisory DatabaseGHSA-8G35-PRRR-GXXF

HistoryOct 31, 2022 - 7:00 p.m.

ProcessWire vulnerable to Cross-site Scripting

2022-10-3119:00:37

CWE-79

GitHub Advisory Database

github.com

processwire

cross-site scripting

v3.0.200

search users

search pages

injection

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.

Affected configurations

Vulners

Node

processwireprocesswireRange≤3.0.200

CPENameOperatorVersion
processwire/processwirele3.0.200

CPE	Name	Operator	Version
	processwire/processwire	le	3.0.200

References

processwire.com

gist.github.com/filipaze/32ab8683af8d82827028164e361b6e86

github.com/advisories/GHSA-8g35-prrr-gxxf

nvd.nist.gov/vuln/detail/CVE-2022-40487

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

Related for GHSA-8G35-PRRR-GXXF