CVE-2022-22114 CRITICAL

CVE-2022-22114: Teedy - Reflected Cross-Site Scripting (XSS) in the Search Functionality

Vendor Sismics
Product docs
Weakness CWE-79 · XSS
Published January 10, 2022
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker.

Key dates

02Disclosure timeline

January 10, 2022 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-3026 Cross-site Scripting (XSS) - Stored in jgraph/drawio CVE-2025-13983 Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121 CVE-2025-63052 WordPress SimpLy Gallery plugin <= 3.3.2.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-54048 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2024-11230 Elementor Header & Footer Builder <= 1.6.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget