Lucene search

[email protected]NVD:CVE-2022-1345

HistoryApr 13, 2022 - 7:15 p.m.

CVE-2022-1345

2022-04-1319:15:09

CWE-434

[email protected]

web.nvd.nist.gov

cve-2022-1345

stored xss

svg file upload

github

organizr

session hijacking

sensitive data exposure

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

44.8%

JSON

Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user’s browser and it can lead to session hijacking, sensitive data exposure, and worse.

Affected configurations

Nvd

Node

organizrorganizrRange<2.1.1810

VendorProductVersionCPE
organizrorganizr*cpe:2.3:a:organizr:organizr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
organizr	organizr	*	cpe:2.3:a:organizr:organizr::::::::

References

github.com/causefx/organizr/commit/a09d834d995599756b62016af7026d2408ecf43a

huntr.dev/bounties/781b5c2a-bc98-41a0-a276-ea12399e5a25

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

44.8%

JSON

Related for NVD:CVE-2022-1345

huntr1 cvelist1 osv1 cve1 prion1