CVE-2022-50942

EUVD-2022-55948
Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
VulnCheckCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
icingaweb2
bookworm
undetermined
bullseye
undetermined
forky
undetermined
sid
undetermined
trixie
undetermined
Common Weakness Enumeration
References
https://github.com/Icinga/icingaweb2
https://icinga.com/
https://www.vulncheck.com/advisories/inciga-web-client-side-cross-site-scripting-via-eventlistener
https://www.vulnerability-lab.com/get_content.php?id=2273
https://www.vulnerability-lab.com/get_content.php?id=2273