CVE-2022-22115

Name of the Vulnerable Software and Affected Versions Teedy versions v1.5 through v1.9

Description The issue is related to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation.

Recommendations For versions v1.5 through v1.9, consider disabling the edit tag functionality until a patch is available to prevent the exploitation of the Stored Cross-Site Scripting (XSS) vulnerability. Restrict access to the edit tag page to minimize the risk of exploitation. Avoid using the Tag name field in the edit tag page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.