CVE-2022-23065

In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the Assets tab. The uploaded file will affect administrators as well as regular users.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
MendCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
vendurevendure
0.1.2 ≤
𝑥
≤ 1.5.1
vendurevendure
0.1.0:alpha10
vendurevendure
0.1.0:alpha11
vendurevendure
0.1.0:alpha12
vendurevendure
0.1.0:alpha13
vendurevendure
0.1.0:alpha14
vendurevendure
0.1.0:alpha15
vendurevendure
0.1.0:alpha16
vendurevendure
0.1.0:alpha18
vendurevendure
0.1.0:alpha2
vendurevendure
0.1.0:alpha3
vendurevendure
0.1.0:alpha4
vendurevendure
0.1.0:alpha5
vendurevendure
0.1.0:alpha6
vendurevendure
0.1.0:alpha7
vendurevendure
0.1.0:alpha8
vendurevendure
0.1.0:alpha9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vendure-ecommerce/vendure/commit/69a44869112c0a5b836e2ddd3969ea9b533f51f0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23065
https://github.com/vendure-ecommerce/vendure/commit/69a44869112c0a5b836e2ddd3969ea9b533f51f0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23065