CVE-2022-39301 HIGH

CVE-2022-39301: sra-admin is vulnerable to storage cross-site scripting (XSS) via unrestricted file upload

Vendor Momofoolish
Product sra-admin
Weakness CWE-80 · XSS · basic
Published October 19, 2022
Last update April 22, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" - "Profile Picture Upload" allowing theft of the user's personal information. This issue has been patched in 1.1.2. There are no known workarounds.

Key dates

02Disclosure timeline

October 19, 2022 CVE published
April 22, 2025 Record updated