Lucene search

GitHub_MCVELIST:CVE-2022-24717

HistoryMar 01, 2022 - 6:40 p.m.

CVE-2022-24717 Cross Site Scripting (XSS) in ssr-pages

2022-03-0118:40:11

CWE-79

GitHub_M

www.cve.org

cve-2022-24717

cross site scripting

xss

ssr-pages

html page builder

server-side rendering

untrusted input

redirect.link

patch

version 0.1.5

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.0%

JSON

ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.5, a cross site scripting (XSS) issue can occur when providing untrusted input to the redirect.link property as an argument to the build(MessagePageOptions) function. While there is no known workaround at this time, there is a patch in version 0.1.5.

CNA Affected

[
  {
    "product": "ssr-pages",
    "vendor": "Finastra",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.1.5"
      }
    ]
  }
]

References

github.com/Finastra/ssr-pages/commit/98abc59e28fec48246be0d59ac144675d6361073

github.com/Finastra/ssr-pages/pull/2

github.com/Finastra/ssr-pages/pull/2/commits/133606ffaec2edd9918d9fba5771ed21da7876a5

github.com/Finastra/ssr-pages/security/advisories/GHSA-7f63-h6g3-7cwm

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

34.0%

JSON

Related for CVELIST:CVE-2022-24717