CVE-2022-22115 CRITICAL

CVE-2022-22115: Teedy - Stored Cross-Site Scripting (XSS) in Tag Name

Vendor Sismics

Product docs

Weakness CWE-79 · XSS

Published January 10, 2022

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

9.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation.

Key dates

02Disclosure timeline

January 10, 2022 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-22115

Related vulnerabilities

Identifiers

CVE CVE-2022-22115

CWE CWE-79

CVSS 9.0 / CRITICAL

Affected versions

Vendor Sismics

Product docs

Affected ≥ v1.5 and < unspecified

Vendor Sismics

Product docs

Affected ≥ unspecified and ≤ v1.9

CVE-2022-22115: Teedy - Stored Cross-Site Scripting (XSS) in Tag Name

01Description

02Disclosure timeline

03References

04Related CVE