Vulnerability Details : CVE-2022-1457
Potential exploit
Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-1457
- cpe:2.3:a:facturascripts:facturascripts:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-1457
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-1457
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
9.0
|
CRITICAL | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
2.2
|
6.0
|
huntr.dev | |
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2022-1457
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@huntr.dev (Secondary)
References for CVE-2022-1457
-
https://github.com/neorazorx/facturascripts/commit/b3e7527d1e100898c15fec067825b6bc738613df
Solucionado bug XSS al colocar javascript como título en un page_option. · NeoRazorX/facturascripts@b3e7527 · GitHubPatch;Third Party Advisory
-
https://huntr.dev/bounties/8c80caa0-dc89-43f2-8f5f-db02d2669046
Store XSS in title parameter executing at EditUser Page & EditProducto page vulnerability found in facturascriptsExploit;Patch;Third Party Advisory
Jump to