9.8
CVE-2022-42948
- EPSS 19.51%
- Veröffentlicht 24.03.2023 14:15:09
- Zuletzt bearbeitet 03.11.2025 16:20:40
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginCobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Helpsystems ≫ Cobalt Strike Version4.7.1
30.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog
Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
SchwachstelleFortra Cobalt Strike User Interface contains an unspecified vulnerability rooted in Java Swing that may allow remote code execution.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 19.51% | 0.952 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.