CVE-2022-39301
19.10.2022, 14:15
sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds.
| Vendor | Product | Version |
|---|---|---|
| sra-admin_project | sra-admin | 𝑥 ≤ 1.1.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.