CVE-2022-26111

Exploit

EPSS 7.37%
Published 25.04.2022 15:15:49
Last modified 21.11.2024 06:53:27
Source cve@mitre.org
Teams watchlist Login
Open Login

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Canon ≫ Irisnext Version <= 9.8.28

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	7.37%	0.913

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf

Third Party Advisory

Exploit

https://varsnext.iriscorporate.com/

Vendor Advisory

Product

https://nvd.nist.gov/vuln/detail/CVE-2022-26111

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26111

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26111

EUVD