CVE-2022-26088 - Vulnerability Details - OpenCVE

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00458.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Bmc	Remedy It Service Management Suite

Configuration 1 [-]

cpe:2.3:a:bmc:remedy_it_service_management_suite:20.02:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-30656	An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html
http://seclists.org/fulldisclosure/2022/Nov/10
https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/

History

Thu, 01 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-10T00:00:00.000Z

Updated: 2025-05-01T13:52:05.367Z

Reserved: 2022-02-24T00:00:00.000Z

Link: CVE-2022-26088

Vulnrichment

Updated: 2024-08-03T04:56:37.759Z

NVD

Status : Modified

Published: 2022-11-10T21:15:09.920

Modified: 2025-05-01T14:15:23.467

Link: CVE-2022-26088

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26088", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-05-01T13:52:05.367Z", "dateReserved": "2022-02-24T00:00:00.000Z", "datePublished": "2022-11-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-11-15T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the \"number of recipients\" field. NOTE: the vendor's position is that \"no real impact is demonstrated.\""}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/"}, {"name": "20221115 SEC Consult SA-20221110-0 :: HTML Injection in BMC Remedy ITSM-Suite", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Nov/10"}, {"url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.759Z"}, "title": "CVE Program Container", "references": [{"url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/", "tags": ["x_transferred"]}, {"name": "20221115 SEC Consult SA-20221110-0 :: HTML Injection in BMC Remedy ITSM-Suite", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Nov/10"}, {"url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T13:51:28.866008Z", "id": "CVE-2022-26088", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:52:05.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2022/Nov/10", "name": "20221115 SEC Consult SA-20221110-0 :: HTML Injection in BMC Remedy ITSM-Suite", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.759Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-26088", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-01T13:51:28.866008Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:52:00.901Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/"}, {"url": "http://seclists.org/fulldisclosure/2022/Nov/10", "name": "20221115 SEC Consult SA-20221110-0 :: HTML Injection in BMC Remedy ITSM-Suite", "tags": ["mailing-list"]}, {"url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the \"number of recipients\" field. NOTE: the vendor's position is that \"no real impact is demonstrated.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-11-15T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-26088", "state": "PUBLISHED", "dateUpdated": "2025-05-01T13:52:05.367Z", "dateReserved": "2022-02-24T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-11-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bmc:remedy_it_service_management_suite:20.02:*:*:*:*:*:*:*", "matchCriteriaId": "6A44F441-2400-4524-9C17-922A49A4552C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the \"number of recipients\" field. NOTE: the vendor's position is that \"no real impact is demonstrated.\""}, {"lang": "es", "value": "Se descubri\u00f3 un problema en BMC Remedy antes del 22.1. El reenv\u00edo de incidentes basado en correo electr\u00f3nico permite a los usuarios remotos autenticados inyectar HTML (como un payload SSRF) en el registro de actividad coloc\u00e1ndolo en el campo Para:. Esto afecta la representaci\u00f3n que se produce al hacer click en el campo \"number of recipients\". NOTA: la posici\u00f3n del proveedor es que \"no se demuestra ning\u00fan impacto real\"."}], "id": "CVE-2022-26088", "lastModified": "2025-05-01T14:15:23.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-11-10T21:15:09.920", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Nov/10"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Nov/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}