CVE-2022-39824

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.9 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
appsmithappsmith
𝑥
≤ 1.7.14
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/FCncdn/Appsmith-Js-Injection-POC
https://github.com/appsmithorg/appsmith/releases
https://github.com/FCncdn/Appsmith-Js-Injection-POC
https://github.com/appsmithorg/appsmith/releases