CVE-2022-41905

CVSS v3.1

8.2

High

Vector

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions WsgiDAV versions prior to 4.1.0

Description Implementations using this library with directory browsing enabled may be susceptible to Cross Site Scripting (XSS) attacks. This issue occurs when untrusted data is displayed in the directory browser's user interface, such as 'realm' or user name. An attacker cannot exploit this vulnerability by simply uploading a file or folder with a manipulated file name.

Recommendations For versions prior to 4.1.0, upgrade to version 4.1.0 to resolve the issue. As a temporary workaround, set dir browser.enable = False in the configuration to prevent directory browsing and minimize the risk of exploitation. For example, when using a Python dictionary to configure the library, use the following configuration:

config = {
  # your normal configuration
  "dir browser": {
   "enable": False
  },
}
app = WsgiDAVApp(config)

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-41905

GHSA-XX6G-JJ35-PXJV

PYSEC-2022-43018

Affected Products

Wsgidav

CVE-2022-41905

Weakness Enumeration

Related Identifiers

Affected Products

References · 11