An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user (authenticated to the product) can store arbitrary HTML code in the reminder section title in order to corrupt the web page (for example, by creating phishing sections to exfiltrate victims' credentials).
References
Link | Resource |
---|---|
https://www.gruppotim.it/it/footer/red-team.html | Third Party Advisory |
Configurations
History
19 Mar 2024, 16:49
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
First Time |
Liveboxcloud
Liveboxcloud vdesk |
|
CWE | CWE-79 | |
CPE | cpe:2.3:a:liveboxcloud:vdesk:*:*:*:*:*:*:*:* | |
References | () https://www.gruppotim.it/it/footer/red-team.html - Third Party Advisory |
22 Feb 2024, 19:07
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Feb 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-21 16:15
Updated : 2024-04-01 15:52
NVD link : CVE-2022-45179
Mitre link : CVE-2022-45179
CVE.ORG link : CVE-2022-45179
JSON object : View
Products Affected
liveboxcloud
- vdesk
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')