CVE-2022-21662

EPSS 14.76%
Veröffentlicht 06.01.2022 23:15:08
Zuletzt bearbeitet 21.11.2024 06:45:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WordPress Core < 5.8.3 - Authenticated (Author+) Stored Cross Site Scripting

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

Mögliche Gegenmaßnahme

WordPress: Update to one of the following versions, or a newer patched version: 3.7.37, 3.8.37, 3.9.35, 4.0.34, 4.1.34, 4.2.31, 4.3.27, 4.4.26, 4.5.25, 4.6.22, 4.7.22, 4.8.18, 4.9.19, 5.0.15, 5.1.12, 5.2.14, 5.3.11, 5.4.9, 5.5.8, 5.6.7, 5.7.5, 5.8.3

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 10

Weitere Schwachstelleninformationen

SystemWordPress Core

≫

Produkt WordPress

Version [3.7, 3.7.37)

Version [3.8, 3.8.37)

Version [3.9, 3.9.35)

Version [4.0, 4.0.34)

Version [4.1, 4.1.34)

Version [4.2, 4.2.31)

Version [4.3, 4.3.27)

Version [4.4, 4.4.26)

Version [4.5, 4.5.25)

Version [4.6, 4.6.22)

Version [4.7, 4.7.22)

Version [4.8, 4.8.18)

Version [4.9, 4.9.19)

Version [5.0, 5.0.15)

Version [5.1, 5.1.12)

Version [5.2, 5.2.14)

Version [5.3, 5.3.11)

Version [5.4, 5.4.9)

Version [5.5, 5.5.8)

Version [5.6, 5.6.7)

Version [5.7, 5.7.5)

Version [5.8, 5.8.3)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version < 5.8.3

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	14.76%	0.942

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/

https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/

Vendor Advisory

Release Notes

https://www.debian.org/security/2022/dsa-5039

Third Party Advisory

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w

Third Party Advisory