CVE-2022-42786 : Multiple W&T Products of the ComServer Series are prone to an XSS attack. An aut

Multiple W&T Products of the ComServer Series are prone to an XSS attack. An authenticated remote Attacker can execute arbitrary web scripts or HTML via a crafted payload injected into the title of the configuration webpage

Published 2022-11-10 12:15:10

Updated 2023-01-20 14:53:22

Source CERT VDE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-42786

WUT » At-modem-emulator Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:at-modem-emulator_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » At-modem-emulator » Version: N/A
WUT » Com-server ++ Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:com-server_\+\+_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server ++ » Version: N/A
WUT » Com-server 20ma Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:com-server_20ma_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server 20ma » Version: N/A
WUT » Com-server Highspeed 100basefx Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_100basefx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed 100basefx » Version: N/A
WUT » Com-server Highspeed 100baselx Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_100baselx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed 100baselx » Version: N/A
WUT » Com-server Highspeed 19" 1port Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_19\"_1port_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed 19" 1port » Version: N/A
WUT » Com-server Highspeed 19" 4port Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_19\"_4port_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed 19" 4port » Version: N/A
WUT » Com-server Highspeed Compact Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_compact_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Compact » Version: N/A
WUT » Com-server Highspeed Industry Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_industry_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Industry » Version: N/A
WUT » Com-server Highspeed Isolated Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_isolated_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Isolated » Version: N/A
WUT » Com-server Highspeed Oem Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_oem_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Oem » Version: N/A
WUT » Com-server Highspeed Office 1port Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_office_1port_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Office 1port » Version: N/A
WUT » Com-server Highspeed Office 4port Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_office_4port_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Office 4port » Version: N/A
WUT » Com-server Highspeed Poe Firmware
Versions before (<) 1.76
cpe:2.3:o:wut:com-server_highspeed_poe_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Poe » Version: N/A
WUT » Com-server Highspeed Lc Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:com-server_highspeed_lc_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Lc » Version: N/A
WUT » Com-server Highspeed Ul Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:com-server_highspeed_ul_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Ul » Version: N/A
WUT » Com-server Highspeed Poe 3x Isolated Firmware
Versions before (<) 1.48
cpe:2.3:o:wut:com-server_highspeed_poe_3x_isolated_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: WUT » Com-server Highspeed Poe 3x Isolated » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-42786

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-42786

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	CERT VDE
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-42786

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: info@cert.vde.com (Primary)

References for CVE-2022-42786

https://cert.vde.com/de/advisories/VDE-2022-043/

VDE-2022-043 | CERT@VDE
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-42786

Products affected by CVE-2022-42786

Exploit prediction scoring system (EPSS) score for CVE-2022-42786

CVSS scores for CVE-2022-42786

CWE ids for CVE-2022-42786

References for CVE-2022-42786