CVE-2022-37926 : A vulnerability within the web-based management interface of EdgeConnect Enterpr

A vulnerability within the web-based management interface of EdgeConnect Enterprise could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface by uploading a specially crafted file. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.

Published 2022-12-12 13:15:14

Updated 2022-12-13 19:23:30

Source Hewlett Packard Enterprise (HPE)

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-37926

Arubanetworks » Edgeconnect Enterprise
Versions from including (>=) 9.1.0.0 and up to, including, (<=) 9.1.3.0
cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*
Matching versions
Arubanetworks » Edgeconnect Enterprise
Versions from including (>=) 8.3.1.0 and up to, including, (<=) 8.3.7.1
cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*
Matching versions
Arubanetworks » Edgeconnect Enterprise
Versions from including (>=) 9.0.0.0 and up to, including, (<=) 9.0.7.0
cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*
Matching versions
Arubanetworks » Edgeconnect Enterprise
Versions from including (>=) 9.2.0.0 and up to, including, (<=) 9.2.1.0
cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-37926

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-37926

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	2.3	2.7	Hewlett Packard Enterprise (HPE)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-37926

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-37926

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-018.txt

Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-37926

Products affected by CVE-2022-37926

Exploit prediction scoring system (EPSS) score for CVE-2022-37926

CVSS scores for CVE-2022-37926

CWE ids for CVE-2022-37926

References for CVE-2022-37926