CVE-2022-3893

Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.

CVSS v3 2.3 LOW

2.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06	Vendor Advisory
https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:20

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-15 15:15

Updated : 2024-11-21 07:20

NVD link : CVE-2022-3893

Mitre link : CVE-2022-3893

CVE.ORG link : CVE-2022-3893

JSON object : View

Products Affected

hallowelt

bluespice

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-3893", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@bluespice.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2022-11-15T15:15:10.813", "references": [{"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06", "tags": ["Vendor Advisory"], "source": "security@bluespice.com"}, {"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@bluespice.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application."}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceCustomMenu de BlueSpice permite al usuario con permisos de administrador inyectar HTML arbitrario en el men\u00fa de navegaci\u00f3n personalizado de la aplicaci\u00f3n."}], "lastModified": "2024-11-21T07:20:27.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D", "versionEndExcluding": "4.2.1", "versionStartIncluding": "4.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@bluespice.com"}