CVE-2022-26111

Exploit

EPSS 7.37%
Veröffentlicht 25.04.2022 15:15:49
Zuletzt bearbeitet 21.11.2024 06:53:27
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Canon ≫ Irisnext Version <= 9.8.28

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.37%	0.913

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf

Third Party Advisory

Exploit

https://varsnext.iriscorporate.com/

Vendor Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2022-26111

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26111

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26111

EUVD