fossology sql/VarValue cross site scripting

A vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. Using CWE to declare the problem leads to CWE-79. The weakness was released 01/04/2023 as 2356. The advisory is available at github.com. This vulnerability was named CVE-2022-4875. The attack can be initiated remotely. Technical details are available. There is no exploit available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project. It is declared as not defined. As 0-day the estimated underground price was around $0-$5k. The patch is identified as 8e0eba001662c7eb35f045b70dd458a4643b4553. The bugfix is ready for download at github.com. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field01/04/2023 22:3901/28/2023 12:5201/28/2023 12:59
namefossologyfossologyfossology
argumentsql/VarValuesql/VarValuesql/VarValue
cwe79 (cross site scripting)79 (cross site scripting)79 (cross site scripting)
risk111
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prHHH
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iLLL
cvss3_vuldb_aNNN
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifier235623562356
urlhttps://github.com/fossology/fossology/pull/2356https://github.com/fossology/fossology/pull/2356https://github.com/fossology/fossology/pull/2356
namePatchPatchPatch
patch_name8e0eba001662c7eb35f045b70dd458a4643b45538e0eba001662c7eb35f045b70dd458a4643b45538e0eba001662c7eb35f045b70dd458a4643b4553
patch_urlhttps://github.com/fossology/fossology/commit/8e0eba001662c7eb35f045b70dd458a4643b4553https://github.com/fossology/fossology/commit/8e0eba001662c7eb35f045b70dd458a4643b4553https://github.com/fossology/fossology/commit/8e0eba001662c7eb35f045b70dd458a4643b4553
advisoryquotefix(security) fix Reflected XSS vulnerabilityfix(security) fix Reflected XSS vulnerabilityfix(security) fix Reflected XSS vulnerability
cveCVE-2022-4875CVE-2022-4875CVE-2022-4875
responsibleVulDBVulDBVulDB
date1672786800 (01/04/2023)1672786800 (01/04/2023)1672786800 (01/04/2023)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auMMM
cvss2_vuldb_ciNNN
cvss2_vuldb_iiPPP
cvss2_vuldb_aiNNN
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_eNDNDND
cvss3_vuldb_eXXX
cvss2_vuldb_basescore3.33.33.3
cvss2_vuldb_tempscore2.92.92.9
cvss3_vuldb_basescore2.42.42.4
cvss3_vuldb_tempscore2.32.32.3
cvss3_meta_basescore2.42.43.6
cvss3_meta_tempscore2.32.33.6
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned1672786800 (01/04/2023)1672786800 (01/04/2023)
cve_nvd_summaryA vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 8e0eba001662c7eb35f045b70dd458a4643b4553. It is recommended to apply a patch to fix this issue. VDB-217426 is the identifier assigned to this vulnerability.A vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 8e0eba001662c7eb35f045b70dd458a4643b4553. It is recommended to apply a patch to fix this issue. VDB-217426 is the identifier assigned to this vulnerability.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiR
cvss3_nvd_sC
cvss3_nvd_cL
cvss3_nvd_iL
cvss3_nvd_aN
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auM
cvss2_nvd_ciN
cvss2_nvd_iiP
cvss2_nvd_aiN
cvss3_cna_avN
cvss3_cna_acL
cvss3_cna_prH
cvss3_cna_uiR
cvss3_cna_sU
cvss3_cna_cN
cvss3_cna_iL
cvss3_cna_aN
cve_cnaVulDB
cvss2_nvd_basescore3.3
cvss3_nvd_basescore6.1
cvss3_cna_basescore2.4

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!