CVE-2022-22985 - OpenCVE

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ipcomm	Ipdio Ipdio Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ipcomm:ipdio_firmware:3.9:*:*:*:*:*:*:*

cpe:2.3:h:ipcomm:ipdio:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-09T15:33:40.335255Z

Updated: 2024-09-17T02:42:17.320Z

Reserved: 2022-02-15T00:00:00

Link: CVE-2022-22985

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-10T17:45:43.893

Modified: 2023-06-27T19:01:51.437

Link: CVE-2022-22985

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "IPCOMM ipDIO", "vendor": "IPCOMM", "versions": [{"status": "affected", "version": "3.9"}]}], "credits": [{"lang": "en", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "datePublic": "2022-03-03T00:00:00", "descriptions": [{"lang": "en", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T15:33:40", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}], "solutions": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}, "title": "ICSA-22-062-01 IPCOMM ipDIO", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-03T18:40:00.000Z", "ID": "CVE-2022-22985", "STATE": "PUBLIC", "TITLE": "ICSA-22-062-01 IPCOMM ipDIO"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IPCOMM ipDIO", "version": {"version_data": [{"version_affected": "=", "version_name": "3.9", "version_value": "3.9"}]}}]}, "vendor_name": "IPCOMM"}]}}, "credit": [{"lang": "eng", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21Sec reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}]}, "solution": [{"lang": "en", "value": "IPCOMM recommends upgrading to its ip4Cloud device, which is the successor to ipDIO. Contact IPCOMM customer support for assistance with the upgrade. For more information, visit the IPCOMM ip4Cloud product page."}], "source": {"advisory": "ICSA-22-062-01", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.832Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-22985", "datePublished": "2022-03-09T15:33:40.335255Z", "dateReserved": "2022-02-15T00:00:00", "dateUpdated": "2024-09-17T02:42:17.320Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ipcomm:ipdio_firmware:3.9:*:*:*:*:*:*:*", "matchCriteriaId": "7CCFF2C1-ED64-44C3-94D3-D5179BB3F822", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ipcomm:ipdio:-:*:*:*:*:*:*:*", "matchCriteriaId": "034252D1-4CDB-4813-8831-8A0CCBC1E1C4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history."}, {"lang": "es", "value": "La ausencia de filtros cuando son cargadas algunas secciones en la aplicaci\u00f3n web del dispositivo vulnerable permite a atacantes inyectar c\u00f3digo malicioso que ser\u00e1 interpretado cuando un usuario leg\u00edtimo acceda a la secci\u00f3n web espec\u00edfica donde es mostrada la informaci\u00f3n. La inyecci\u00f3n puede realizarse sobre par\u00e1metros espec\u00edficos. El c\u00f3digo inyectado es ejecutado cuando un usuario leg\u00edtimo intenta revisar el historial"}], "id": "CVE-2022-22985", "lastModified": "2023-06-27T19:01:51.437", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-03-10T17:45:43.893", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}