CVE-2022-4068
20.11.2022, 05:15
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin's account.
| Vendor | Product | Version |
|---|---|---|
| librenms | librenms | 𝑥 < 22.10.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object AttributesThe software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
References