Lucene search

[email protected]NVD:CVE-2022-44012

HistoryDec 25, 2022 - 5:15 a.m.

CVE-2022-44012

2022-12-2505:15:10

CWE-79

[email protected]

web.nvd.nist.gov

simmeth lieferantenmanager

remote attackers

javascript code

encrypted passwords

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.3%

JSON

An issue was discovered in /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId in Simmeth Lieferantenmanager before 5.6. An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim’s encrypted password can be stolen and most likely be decrypted.

Affected configurations

Nvd

Node

simmethlieferantenmanagerRange<5.6

VendorProductVersionCPE
simmethlieferantenmanager*cpe:2.3:a:simmeth:lieferantenmanager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
simmeth	lieferantenmanager	*	cpe:2.3:a:simmeth:lieferantenmanager::::::::

References

sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-simmeth-system-gmbh-lieferantenmanager/