CVE-2022-43670 - OpenCVE

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Sling Cms

Configuration 1 [-]

cpe:2.3:a:apache:sling_cms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/11/02/8
https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-11-02T00:00:00

Updated: 2024-08-03T13:40:05.707Z

Reserved: 2022-10-22T00:00:00

Link: CVE-2022-43670

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-11-02T13:15:19.997

Modified: 2022-11-03T13:54:23.783

Link: CVE-2022-43670

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-43670", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T13:40:05.707Z", "dateReserved": "2022-10-22T00:00:00", "datePublished": "2022-11-02T00:00:00"}, "containers": {"cna": {"title": "XSS in Sling CMS Reference App Taxonomy Path", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-11-02T00:00:00"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Sling App CMS", "versions": [{"version": "unspecified", "lessThan": "1.1.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs"}, {"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"}], "credits": [{"lang": "en", "value": "Apache Sling would like to thank QSec-Team for reporting this issue"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "low"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["SLING-11622"], "discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "value": "Upgrade to Apache Sling App CMS >= 1.1.2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:40:05.707Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/o68l3l3crfxz107fr9dm74y8vg8kj2cs", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221102 CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/11/02/8"}]}]}}