CVE-2022-25620

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.

CVSS v3 3.8 LOW
CVSS v2.0 3.5 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.3 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.sambabox.io/sambabox-surum-4-0/	Release Notes Vendor Advisory
https://www.sambabox.io/sambabox-surum-4-0/	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*

History

21 Nov 2024, 06:52

Type	Values Removed	Values Added
References	~~() https://www.sambabox.io/sambabox-surum-4-0/ - Release Notes, Vendor Advisory~~	() https://www.sambabox.io/sambabox-surum-4-0/ - Release Notes, Vendor Advisory
CVSS	v2 : ~~3.5~~ v3 : ~~9.0~~	v2 : 3.5 v3 : 3.8

07 Apr 2022, 16:25

Type	Values Removed	Values Added
References	~~(CONFIRM) https://www.sambabox.io/sambabox-surum-4-0/ -~~	(CONFIRM) https://www.sambabox.io/sambabox-surum-4-0/ - Release Notes, Vendor Advisory
CPE		cpe:2.3:a:profelis:sambabox:::::::x86:*
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 3.5 v3 : 9.0

30 Mar 2022, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-30 15:15

Updated : 2024-11-21 06:52

NVD link : CVE-2022-25620

Mitre link : CVE-2022-25620

CVE.ORG link : CVE-2022-25620

JSON object : View

Products Affected

profelis

sambabox

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-25620", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@profelis.com.tr", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2022-03-30T15:15:08.377", "references": [{"url": "https://www.sambabox.io/sambabox-surum-4-0/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@profelis.com.tr"}, {"url": "https://www.sambabox.io/sambabox-surum-4-0/", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@profelis.com.tr", "description": [{"lang": "en", "value": "CWE-80"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."}, {"lang": "es", "value": "Una vulnerabilidad de Neutralizaci\u00f3n inapropiada de las etiquetas HTML relacionadas con los scripts en una p\u00e1gina web (XSS b\u00e1sico) en la funcionalidad Group de Profelis IT Consultancy SambaBox permite al usuario AUTENTICADO causar la ejecuci\u00f3n de c\u00f3digos arbitrarios en el servidor vulnerable. Este problema afecta a: Profelis IT Consultancy SambaBox versi\u00f3n 4.0 versiones 4.0 y anteriores en x86"}], "lastModified": "2024-11-21T06:52:27.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*", "vulnerable": true, "matchCriteriaId": "72B249F6-F5DA-4809-AF06-D5071D3A04D3", "versionEndIncluding": "4.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@profelis.com.tr"}