Lucene search

Fluid AttacksCVE-2022-42753

HistoryNov 03, 2022 - 6:15 p.m.

CVE-2022-42753

2022-11-0318:15:17

CWE-79

Fluid Attacks

web.nvd.nist.gov

cve-2022-42753

salonerp

version 3.0.2

cookie theft

xss

nvd

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

36.9%

JSON

SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.

Affected configurations

Nvd

Node

salonerp_projectsalonerpMatch3.0.2

VendorProductVersionCPE
salonerp_projectsalonerp3.0.2cpe:2.3:a:salonerp_project:salonerp:3.0.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
salonerp_project	salonerp	3.0.2	cpe:2.3:a:salonerp_project:salonerp:3.0.2:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "SalonERP",
    "versions": [
      {
        "version": "3.0.2",
        "status": "affected"
      }
    ]
  }
]

References

fluidattacks.com/advisories/hardway/

salonerp.sourceforge.io/

Social References

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

36.9%

JSON

Related for CVE-2022-42753