CVE-2022-25847 MEDIUM

CVE-2022-25847

Vendor N/A

Product serve-lite

Weakness CWE-79 · XSS

Published January 25, 2023

Last update April 1, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

Key dates

02Disclosure timeline

January 25, 2023 CVE published

April 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-25847 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-36207 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2022-0780 SearchIQ < 3.9 - Unauthenticated Stored XSS CVE-2021-40711 Adobe Experience Manager Stored Cross-Site Scripting Could Lead to Arbitrary Code Execution CVE-2023-47546 WordPress OneClick Chat to Order Plugin <= 1.0.4.2 is vulnerable to Cross Site Scripting (XSS) CVE-2024-45071 IBM WebSphere Application Server cross-site scripting