6.1
CVE-2022-39197
- EPSS 20.16%
- Veröffentlicht 22.09.2022 01:15:11
- Zuletzt bearbeitet 03.11.2025 18:13:55
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAn XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Helpsystems ≫ Cobalt Strike Version < 4.7.1
30.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability
SchwachstelleFortra Cobalt Strike contains a cross-site scripting (XSS) vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 20.16% | 0.953 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.