CVE-2022-1682 - Vulnerability Details - OpenCVE

Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Facturascripts	Facturascripts

Configuration 1 [-]

cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a
https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-05-12T08:15:17

Updated: 2024-08-03T00:10:03.910Z

Reserved: 2022-05-12T00:00:00

Link: CVE-2022-1682

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-12T09:15:13.827

Modified: 2024-11-21T06:41:14.693

Link: CVE-2022-1682

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "neorazorx/facturascripts", "vendor": "neorazorx", "versions": [{"lessThan": "2022.07", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser"}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-12T08:15:17", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a"}], "source": {"advisory": "e962d191-93e2-405e-a6af-b4a4e4d02527", "discovery": "EXTERNAL"}, "title": "Reflected Xss using url based payload in neorazorx/facturascripts", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-1682", "STATE": "PUBLIC", "TITLE": "Reflected Xss using url based payload in neorazorx/facturascripts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "neorazorx/facturascripts", "version": {"version_data": [{"version_affected": "<", "version_value": "2022.07"}]}}]}, "vendor_name": "neorazorx"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527"}, {"name": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a", "refsource": "MISC", "url": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a"}]}, "source": {"advisory": "e962d191-93e2-405e-a6af-b4a4e4d02527", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.910Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-1682", "datePublished": "2022-05-12T08:15:17", "dateReserved": "2022-05-12T00:00:00", "dateUpdated": "2024-08-03T00:10:03.910Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E4D15F9-24C7-490B-9DE0-71406995A06F", "versionEndExcluding": "2022.07", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser"}, {"lang": "es", "value": "Una vulnerabilidad de tipo Xss reflejado usando una carga \u00fatil basada en url en el repositorio de GitHub neorazorx/facturascripts versiones anteriores a 2022.07. El ataque de tipo Xss puede usarse para robar las cookies del usuario, lo que conlleva a una toma de control de la cuenta o cualquier actividad maliciosa en el navegador de la v\u00edctima"}], "id": "CVE-2022-1682", "lastModified": "2024-11-21T06:41:14.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-12T09:15:13.827", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/neorazorx/facturascripts/commit/8e31d8434014a6d1e8791a489d84268fd74b0c9a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/e962d191-93e2-405e-a6af-b4a4e4d02527"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}