Sign-up

ID

VAR-202204-1328


CVE

CVE-2022-29548


TITLE

plural  WSO2  Cross-site scripting vulnerability in the product

Trust: 0.8

sources: JVNDB: JVNDB-2022-008751

DESCRIPTION

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0. multiple WSO2 A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with

Trust: 1.8

sources: NVD: CVE-2022-29548 // JVNDB: JVNDB-2022-008751 // VULHUB: VHN-421057 // VULMON: CVE-2022-29548

AFFECTED PRODUCTS

vendor:wso2model:api managerscope:eqversion:2.5.0

Trust: 1.0

vendor:wso2model:api manager analyticsscope:eqversion:2.5.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope:eqversion:6.4.0

Trust: 1.0

vendor:wso2model:data analytics serverscope:eqversion:3.2.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:4.0.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.6.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.10.0

Trust: 1.0

vendor:wso2model:identity server analyticsscope:eqversion:5.6.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.1.0

Trust: 1.0

vendor:wso2model:micro integratorscope:eqversion:1.0.0

Trust: 1.0

vendor:wso2model:api manager analyticsscope:eqversion:2.6.0

Trust: 1.0

vendor:wso2model:api microgatewayscope:eqversion:2.2.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.7.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.0.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope:eqversion:6.6.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:2.6.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope:eqversion:6.3.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.5.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.11.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope:eqversion:6.5.0

Trust: 1.0

vendor:wso2model:api manager analyticsscope:eqversion:2.2.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.9.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope:eqversion:6.2.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.7.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.6.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:2.2.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.5.0

Trust: 1.0

vendor:wso2model:identity server as key managerscope:eqversion:5.10.0

Trust: 1.0

vendor:wso2model:identity serverscope:eqversion:5.9.0

Trust: 1.0

vendor:wso2model:identity server analyticsscope:eqversion:5.5.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.2.0

Trust: 1.0

vendor:wso2model:enterprise integratorscope: - version: -

Trust: 0.8

vendor:wso2model:identity serverscope: - version: -

Trust: 0.8

vendor:wso2model:api microgatewayscope: - version: -

Trust: 0.8

vendor:wso2model:data analytics serverscope: - version: -

Trust: 0.8

vendor:wso2model:api manager analyticsscope: - version: -

Trust: 0.8

vendor:wso2model:api managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-008751 // NVD: CVE-2022-29548

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-29548
value: MEDIUM

Trust: 1.0

cve@mitre.org: CVE-2022-29548
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-29548
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202204-3932
value: MEDIUM

Trust: 0.6

VULHUB: VHN-421057
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-29548
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-29548
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-421057
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-29548
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

cve@mitre.org: CVE-2022-29548
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: CVE-2022-29548
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-421057 // VULMON: CVE-2022-29548 // JVNDB: JVNDB-2022-008751 // CNNVD: CNNVD-202204-3932 // NVD: CVE-2022-29548 // NVD: CVE-2022-29548

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-421057 // JVNDB: JVNDB-2022-008751 // NVD: CVE-2022-29548

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3932

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202204-3932

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-421057

PATCH
title:WSO2 Fixes for Cross-Site Scripting Vulnerabilities in Multiple Productsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191492
Trust: 0.6
title:References
PoC Notesurl:https://github.com/cxosmo/CVE-2022-29548 
Trust: 0.1
title:GoXploitDBurl:https://github.com/vishnusomank/GoXploitDB 
Trust: 0.1
title:Goby_POC
POC 数量1319url:https://github.com/Z0fhack/Goby_POC 
Trust: 0.1
title:PoC in GitHuburl:https://github.com/manas3c/CVE-POC 
Trust: 0.1
title:Kenzer Templates [5170] [DEPRECATED]url:https://github.com/ARPSyndicate/kenzer-templates 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-29548 // 
            
            
            
            CNNVD: CNNVD-202204-3932

EXTERNAL IDS
db:NVDid:CVE-2022-29548
Trust: 3.4
db:PACKETSTORMid:167587
Trust: 2.6
db:JVNDBid:JVNDB-2022-008751
Trust: 0.8
db:EXPLOIT-DBid:50970
Trust: 0.7
db:CXSECURITYid:WLB-2022060087
Trust: 0.6
db:CNNVDid:CNNVD-202204-3932
Trust: 0.6
db:VULHUBid:VHN-421057
Trust: 0.1
db:VULMONid:CVE-2022-29548
Trust: 0.1
sources:
            
            
            VULHUB: VHN-421057 // 
            
            
            
            VULMON: CVE-2022-29548 // 
            
            
            
            JVNDB: JVNDB-2022-008751 // 
            
            
            
            CNNVD: CNNVD-202204-3932 // 
            
            
            
            NVD: CVE-2022-29548

REFERENCES
url:http://packetstormsecurity.com/files/167587/wso2-management-console-cross-site-scripting.html
Trust: 3.2
url:https://docs.wso2.com/display/security/security+advisory+wso2-2021-1603
Trust: 2.6
url:https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/wso2-2021-1603/
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2022-29548
Trust: 0.8
url:https://www.exploit-db.com/exploits/50970
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-29548/
Trust: 0.6
url:https://cxsecurity.com/issue/wlb-2022060087
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://github.com/cxosmo/cve-2022-29548
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-421057 // 
            
            
            
            VULMON: CVE-2022-29548 // 
            
            
            
            JVNDB: JVNDB-2022-008751 // 
            
            
            
            CNNVD: CNNVD-202204-3932 // 
            
            
            
            NVD: CVE-2022-29548

CREDITS
cxosmo
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202204-3932

SOURCES
db:VULHUBid:VHN-421057
db:VULMONid:CVE-2022-29548
db:JVNDBid:JVNDB-2022-008751
db:CNNVDid:CNNVD-202204-3932
db:NVDid:CVE-2022-29548

LAST UPDATE DATE
2024-11-23T22:47:27.591000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-421057date:2022-12-02T00:00:00
db:VULMONid:CVE-2022-29548date:2023-11-03T00:00:00
db:JVNDBid:JVNDB-2022-008751date:2023-07-31T08:19:00
db:CNNVDid:CNNVD-202204-3932date:2022-06-30T00:00:00
db:NVDid:CVE-2022-29548date:2024-11-21T06:59:18.107

SOURCES RELEASE DATE
db:VULHUBid:VHN-421057date:2022-04-21T00:00:00
db:VULMONid:CVE-2022-29548date:2022-04-21T00:00:00
db:JVNDBid:JVNDB-2022-008751date:2023-07-31T00:00:00
db:CNNVDid:CNNVD-202204-3932date:2022-04-21T00:00:00
db:NVDid:CVE-2022-29548date:2022-04-21T02:15:06.800