CVE-2022-23544 HIGH

CVE-2022-23544: Server-Side Request Forgery in Metersphere leads to Cross-Site Scripting

Vendor Metersphere
Product metersphere
Weakness CWE-918 · SSRF
Published December 27, 2022
Last update April 11, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in `IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.

Key dates

02Disclosure timeline

December 27, 2022 CVE published
April 11, 2025 Record updated