
We found results for “”
CVE-2022-23053
Date: February 20, 2022
Overview
Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field.Details
Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field. It allows malicious data to be part of the website and run within the user’s browser under the privileges of the web applicationPoC Details
Create button in order to use the “Condition Widget” plugin, submit javascript:alert(“XSS”) in the URL field. Inside the DOM, we can see that the malicious payload was assigned into the “src” attribute of the iframe.PoC Code
javascript:alert(“XSS”)
Affected Environments
1.3.0-1.7.7Prevention
Update to version 1.7.8Language: JS
Good to know:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
Upgrade Version
No fix version available
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | None |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |