CVE-2022-42715

Опубликовано: 12 окт. 2022

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.

Ссылки

https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss
Exploit
Third Party Advisory
https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
Release Notes
Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Release Notes
Third Party Advisory
https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss
Exploit
Third Party Advisory
https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
Release Notes
Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

Версия до 12.4.18 (исключая)

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

Версия от 12.5.0 (включая) до 12.5.11 (исключая)

EPSS

Процентиль: 64%

0.00464

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-5cvm-9gmj-pww2