CVE-2022-41947

Name of the Vulnerable Software and Affected Versions DHIS 2 versions prior to 2.36.12.1 DHIS 2 versions prior to 2.37.8.1 DHIS 2 versions prior to 2.38.2.1 DHIS 2 versions prior to 2.39.0.1

Description DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack.

Recommendations For versions prior to 2.36.12.1, upgrade to version 2.36.12.1. For versions prior to 2.37.8.1, upgrade to version 2.37.8.1. For versions prior to 2.38.2.1, upgrade to version 2.38.2.1. For versions prior to 2.39.0.1, upgrade to version 2.39.0.1. As a temporary workaround for users unable to upgrade, add the following simple CSP rule in your web proxy to the vulnerable endpoints: script-src 'none'. This will prevent all javascript from running on those endpoints.