{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39026", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "datePublished": "2022-10-31T06:40:38.607642Z", "dateUpdated": "2024-09-16T19:05:41.606Z", "dateReserved": "2022-08-30T00:00:00"}, "containers": {"cna": {"title": "e-Excellence Inc. U-Office Force - Stored XSS", "datePublic": "2022-10-31T00:00:00", "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2022-10-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS (Stored Cross-Site Scripting) attack."}], "affected": [{"vendor": "e-Excellence Inc.", "product": "U-Office Force", "versions": [{"version": "unspecified", "lessThanOrEqual": "20.50.7821D Build:202104sp1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6641-55796-1.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Cross-site Scripting (XSS)", "cweId": "CWE-79"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "TVN-202210006", "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Update U-Office Force version to 23.0"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T11:10:32.481Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6641-55796-1.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:edetw:u-office_force:*:*:*:*:*:*:*:*", "matchCriteriaId": "EBA2A8E9-737B-402E-8F54-0712C9CB85A7", "versionEndIncluding": "20.50.7821d", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "U-Office Force UserDefault page has insufficient filtering for special characters in the HTTP header fields. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform XSS (Stored Cross-Site Scripting) attack."}, {"lang": "es", "value": "La p\u00e1gina U-Office Force UserDefault no tiene filtrado suficiente para caracteres especiales en los campos del encabezado HTTP. Un atacante remoto con privilegios de usuario general puede aprovechar esta vulnerabilidad para inyectar JavaScript y realizar un ataque XSS (Stored Cross-Site Scripting)."}], "id": "CVE-2022-39026", "lastModified": "2022-10-31T17:47:12.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2022-10-31T07:15:10.487", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6641-55796-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}

{}