PT-2022-17097 · Fava+1 · Fava+1

Yagebu

Published

2022-07-25

Updated

2022-07-27

CVE-2022-2514

CVSS v3.1

8.0

High

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Fava versions prior to 1.22

Description The issue concerns reflected cross-site scripting (XSS) due to the lack of escaping of error messages that contain the time and filter parameters in verbatim. This allows for the injection of malicious scripts, potentially leading to unauthorized actions on behalf of the user.

Recommendations For versions prior to 1.22, update to version 1.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the time and filter parameters in error messages until a patch is available. Avoid using the parameters time and filter in a way that could lead to the injection of malicious scripts in error messages.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-2514

GHSA-XRF4-39FM-J5F2

PYSEC-2022-239

PYSEC-2022-43182

Affected Products

Debian

Fava

PT-2022-17097 · Fava+1 · Fava+1

CVE-2022-2514

Weakness Enumeration

Related Identifiers

Affected Products

References · 18