9
CVE-2022-1445
- EPSS 0.74%
- Veröffentlicht 24.04.2022 15:15:07
- Zuletzt bearbeitet 21.11.2024 06:40:44
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginStored Cross Site Scripting vulnerability in the checked_out_to parameter in snipe/snipe-it
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Snipeitapp ≫ Snipe-it Version < 5.4.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.74% | 0.498 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
| security@huntr.dev | 9 | 2.3 | 6 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/snipe/snipe-it/commit/f623d05d0c3487ae24c4f13907e4709484e5bf41
https://huntr.dev/bounties/f4420149-5236-4051-a458-5d4f1d5b7abd