CVE-2022-2514 HIGH

CVE-2022-2514: Cross-site Scripting (XSS) - Reflected in beancount/fava

Vendor Beancount

Product beancount/fava

Weakness CWE-79 · XSS

Published July 25, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.

Key dates

02Disclosure timeline

July 25, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-2514 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-33947 WordPress RegistrationMagic plugin <= 5.3.2.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-1647 XSS in Bootstrap title attribute for Tooltip and Popover CVE-2025-23112 CVE-2024-54406 WordPress Comments On Feed plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-34011 WordPress ShopConstruct Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS)