{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41947", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-09-30T16:38:28.941Z", "datePublished": "2022-12-08T22:14:14.759Z", "dateUpdated": "2024-08-03T12:56:38.668Z"}, "containers": {"cna": {"title": "Cross-site Scripting with user-uploaded files in dhis2-core ", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg"}, {"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}], "affected": [{"vendor": "dhis2", "product": "dhis2-core", "versions": [{"version": "< 2.36.12.1", "status": "affected"}, {"version": ">= 2.37.0.0, < 2.37.8.1", "status": "affected"}, {"version": ">= 2.38.0.0, < 2.38.2.1", "status": "affected"}, {"version": ">= 2.39.0.0, < 2.39.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-08T22:14:14.759Z"}, "descriptions": [{"lang": "en", "value": "DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints."}], "source": {"advisory": "GHSA-763w-rm78-6xcg", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.668Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg"}, {"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1C27E48-5EE7-4A34-916F-8B701C6BF8E0", "versionEndExcluding": "2.36.12.1", "versionStartIncluding": "2.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6BDDC0C-4FFE-474A-827E-978DD52338C7", "versionEndExcluding": "2.37.8.1", "versionStartIncluding": "2.37.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5767431-7751-48F4-8F6F-2D4A6CADABBB", "versionEndExcluding": "2.38.2.1", "versionStartIncluding": "2.38.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:2.39.0:*:*:*:*:*:*:*", "matchCriteriaId": "A2EB62DB-53E9-47D3-8659-392DE9A8351A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints."}, {"lang": "es", "value": "DHIS 2 es un sistema de informaci\u00f3n de c\u00f3digo abierto para captura, gesti\u00f3n, validaci\u00f3n, an\u00e1lisis y visualizaci\u00f3n de datos. A trav\u00e9s de varias funciones de DHIS2, un usuario autenticado puede cargar un archivo que incluye javascript integrado. Luego, el usuario podr\u00eda enga\u00f1ar a otro usuario autenticado para que abra el archivo malicioso en un navegador, lo que activar\u00eda el c\u00f3digo javascript, lo que resultar\u00eda en un ataque de Cross-Site Scripting (XSS). Los administradores de DHIS2 deben actualizar a las siguientes versiones de revisi\u00f3n: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Los usuarios que no puedan actualizar pueden agregar la siguiente regla CSP simple en su proxy web a los endpoints vulnerables: `script-src 'none'`. Esta soluci\u00f3n evitar\u00e1 que todo JavaScript se ejecute en esos endpoints."}], "id": "CVE-2022-41947", "lastModified": "2022-12-12T18:36:04.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-08T23:15:10.813", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}