CVE-2022-23054 (GCVE-0-2022-23054)
Vulnerability from cvelistv5 – Published: 2022-02-20 19:00 – Updated: 2024-08-03 03:28
VLAI?
Title
Openmct XSS via the “Summary Widget”
Summary
Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Daniel Elkabes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openmct ",
"vendor": "nasa",
"versions": [
{
"lessThanOrEqual": "1.7.7",
"status": "affected",
"version": "1.7.7",
"versionType": "custom"
},
{
"lessThan": "1.3.0*",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Elkabes"
}
],
"descriptions": [
{
"lang": "en",
"value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the \u201cSummary Widget\u201d element, that allows the injection of malicious JavaScript into the \u2018URL\u2019 field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-20T19:00:17",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23054",
"discovery": "UNKNOWN"
},
"title": "Openmct XSS via the \u201cSummary Widget\u201d ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2022-23054",
"STATE": "PUBLIC",
"TITLE": "Openmct XSS via the \u201cSummary Widget\u201d "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "openmct ",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.7.7",
"version_value": "1.7.7"
},
{
"version_affected": "\u003e=",
"version_name": "1.3.0",
"version_value": "1.3.0"
}
]
}
}
]
},
"vendor_name": "nasa"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Daniel Elkabes"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the \u201cSummary Widget\u201d element, that allows the injection of malicious JavaScript into the \u2018URL\u2019 field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a",
"refsource": "MISC",
"url": "https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a"
}
]
},
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23054",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2022-23054",
"datePublished": "2022-02-20T19:00:17",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:43.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nasa:openmct:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.3.0\", \"versionEndIncluding\": \"1.7.7\", \"matchCriteriaId\": \"C14A1D57-15BD-4795-B4EA-B16E1F8C69B8\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the \\u201cSummary Widget\\u201d element, that allows the injection of malicious JavaScript into the \\u2018URL\\u2019 field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.\"}, {\"lang\": \"es\", \"value\": \"Openmct versiones 1.3.0 hasta 1.7.7, son vulnerables a un ataque de tipo XSS almacenado por medio del elemento \\\"Summary Widget\\\", que permite la inyecci\\u00f3n de JavaScript malicioso en el campo \\\"URL\\\". Este problema afecta a: nasa openmct versiones 1.7.7 y anteriores; versiones 1.3.0 y posteriores\"}]",
"id": "CVE-2022-23054",
"lastModified": "2024-11-21T06:47:53.720",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2022-02-20T19:15:09.357",
"references": "[{\"url\": \"https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a\", \"source\": \"vulnerabilitylab@mend.io\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23054\",\"sourceIdentifier\":\"vulnerabilitylab@mend.io\",\"published\":\"2022-02-20T19:15:09.357\",\"lastModified\":\"2024-11-21T06:47:53.720\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the \u201cSummary Widget\u201d element, that allows the injection of malicious JavaScript into the \u2018URL\u2019 field. This issue affects: nasa openmct 1.7.7 version and prior versions; 1.3.0 version and later versions.\"},{\"lang\":\"es\",\"value\":\"Openmct versiones 1.3.0 hasta 1.7.7, son vulnerables a un ataque de tipo XSS almacenado por medio del elemento \\\"Summary Widget\\\", que permite la inyecci\u00f3n de JavaScript malicioso en el campo \\\"URL\\\". Este problema afecta a: nasa openmct versiones 1.7.7 y anteriores; versiones 1.3.0 y posteriores\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nasa:openmct:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndIncluding\":\"1.7.7\",\"matchCriteriaId\":\"C14A1D57-15BD-4795-B4EA-B16E1F8C69B8\"}]}]}],\"references\":[{\"url\":\"https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nasa/openmct/commit/abc93d0ec4b104dac1ea5f8a615d06e3ab78934a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…