Lucene search

[email protected]NVD:CVE-2022-42225

HistoryMay 24, 2023 - 8:15 p.m.

CVE-2022-42225

2023-05-2420:15:09

CWE-79

[email protected]

web.nvd.nist.gov

jumpserver

2.10.0

2.26.0

stored xss

vulnerabilities

improper filtering

user input

javascript

admin permission

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

Jumpserver 2.10.0 <= version <= 2.26.0 contains multiple stored XSS vulnerabilities because of improper filtering of user input, which can execute any javascript under admin’s permission.

Affected configurations

Nvd

Node

fit2cloudlinaRange2.10.0–2.26.0

VendorProductVersionCPE
fit2cloudlina*cpe:2.3:a:fit2cloud:lina:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fit2cloud	lina	*	cpe:2.3:a:fit2cloud:lina::::::::

References

gist.github.com/bybit-sec/eb750c1d906c89e97092b29015472738

github.com/jumpserver/lina/blob/v2.10.0/src/views/settings/SystemMessageSubscription/SelectDialog.vue#L43

github.com/jumpserver/lina/blob/v2.11.0/src/layout/components/NavHeader/SiteMessages.vue#L40

github.com/jumpserver/lina/blob/v2.26.0/src/views/tickets/components/Comments.vue#L16

github.com/jumpserver/lina/pull/2264