CVE-2022-27166 (GCVE-0-2022-27166)

Vulnerability from cvelistv5 – Published: 2022-08-04 06:15 – Updated: 2024-08-03 05:18
VLAI?
Summary
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
Severity ?
No CVSS data available.
CWE
  • Cross-site scripting vulnerability on XHRHtml2Markup.jsp
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache JSPWiki Affected: Apache JSPWiki , ≤ Apache JSPWiki up to 2.11.2 (custom)
Create a notification for this product.
Credits
Issue was discovered by Salt, <saltnekoko AT gmail DOT com>
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:18:39.251Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JSPWiki",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
              "status": "affected",
              "version": "Apache JSPWiki",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-04T06:15:17",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-27166",
          "STATE": "PUBLIC",
          "TITLE": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JSPWiki",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache JSPWiki",
                            "version_value": "Apache JSPWiki up to 2.11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
              "refsource": "MISC",
              "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-27166",
    "datePublished": "2022-08-04T06:15:17",
    "dateReserved": "2022-03-14T00:00:00",
    "dateUpdated": "2024-08-03T05:18:39.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.11.3\", \"matchCriteriaId\": \"64A3E769-A3E7-4648-8792-5138BD591C1F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim.\"}, {\"lang\": \"es\", \"value\": \"Una petici\\u00f3n cuidadosamente dise\\u00f1ada en el archivo XHRHtml2Markup.jsp podr\\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki versiones hasta 2.11.2 inclusive, lo que podr\\u00eda permitir al atacante ejecutar javascript en el navegador de la v\\u00edctima y conseguir informaci\\u00f3n confidencial sobre ella\"}]",
      "id": "CVE-2022-27166",
      "lastModified": "2024-11-21T06:55:19.760",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2022-08-04T07:15:07.377",
      "references": "[{\"url\": \"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732\", \"source\": \"security@apache.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-27166\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-08-04T07:15:07.377\",\"lastModified\":\"2024-11-21T06:55:19.760\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim.\"},{\"lang\":\"es\",\"value\":\"Una petici\u00f3n cuidadosamente dise\u00f1ada en el archivo XHRHtml2Markup.jsp podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki versiones hasta 2.11.2 inclusive, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir informaci\u00f3n confidencial sobre ella\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.3\",\"matchCriteriaId\":\"64A3E769-A3E7-4648-8792-5138BD591C1F\"}]}]}],\"references\":[{\"url\":\"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.