Lucene search

[email protected]NVD:CVE-2022-3255

HistorySep 21, 2022 - 1:15 p.m.

CVE-2022-3255

2022-09-2113:15:09

CWE-79

[email protected]

web.nvd.nist.gov

attacker control script

compromise user

application actions

view information

modify data

initiate interactions

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Affected configurations

Nvd

Node

pimcorepimcoreRange<10.5.7

VendorProductVersionCPE
pimcorepimcore*cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pimcore	pimcore	*	cpe:2.3:a:pimcore:pimcore::::::::

References

github.com/pimcore/pimcore/commit/1e916e7d668c9e47b217e20cc0ea4812f466201b

huntr.dev/bounties/0ea45cf9-b256-454c-9031-2435294c0902