6.8

CVE-2022-0020

Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface

A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PaloaltonetworksCortex Xsoar Version6.1.0 Update-
PaloaltonetworksCortex Xsoar Version6.1.0 Update1016923
PaloaltonetworksCortex Xsoar Version6.1.0 Update1031903
PaloaltonetworksCortex Xsoar Version6.1.0 Update1077664
PaloaltonetworksCortex Xsoar Version6.1.0 Update1209934
PaloaltonetworksCortex Xsoar Version6.1.0 Update1271079
PaloaltonetworksCortex Xsoar Version6.1.0 Update848144
PaloaltonetworksCortex Xsoar Version6.2.0 Update-
PaloaltonetworksCortex Xsoar Version6.2.0 Update1271082
PaloaltonetworksCortex Xsoar Version6.2.0 Update1321594
PaloaltonetworksCortex Xsoar Version6.2.0 Update1473927
PaloaltonetworksCortex Xsoar Version6.2.0 Update1578666
PaloaltonetworksCortex Xsoar Version6.2.0 Update1822745
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.01% 0.77
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
psirt@paloaltonetworks.com 6.8 0.9 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.