Lucene search

GitHub_MCVE-2022-39301

HistoryOct 19, 2022 - 2:15 p.m.

CVE-2022-39301

2022-10-1914:15:09

CWE-80

CWE-434

GitHub_M

web.nvd.nist.gov

sra-admin

background rights management

xss vulnerability

user info theft

security patch

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

EPSS

0.001

Percentile

24.8%

JSON

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in “Personal Center” - “Profile Picture Upload” allowing theft of the user’s personal information. This issue has been patched in 1.1.2. There are no known workarounds.

Affected configurations

Nvd

Vulners

Node

sra-admin_projectsra-adminRange≤1.1.1

VendorProductVersionCPE
sra-admin_projectsra-admin*cpe:2.3:a:sra-admin_project:sra-admin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sra-admin_project	sra-admin	*	cpe:2.3:a:sra-admin_project:sra-admin::::::::

CNA Affected

[
  {
    "vendor": "momofoolish",
    "product": "sra-admin",
    "versions": [
      {
        "version": "< 1.1.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/momofoolish/sra-admin/security/advisories/GHSA-v7r9-qx74-h3v8

Social References