CVE-2022-38845

Exploit

EPSS 0.18%
Veröffentlicht 16.09.2022 14:15:09
Zuletzt bearbeitet 21.11.2024 07:17:10
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Espocrm ≫ Espocrm Version7.1.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.394

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-cross-site-scripting-e3e6c708df18

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-38845

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-38845

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-38845

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-38845