CVE-2022-1231
XSS via Embedded SVG in SVG Diagram Format in plantuml/plantuml
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running).
Una vulnerabilidad de tipo XSS por medio de SVG insertado en el formato de diagrama SVG en el repositorio GitHub plantuml/plantuml versiones anteriores a 1.2022.4. Una vulnerabilidad de tipo XSS almacenado en el contexto del insertador de diagramas. Dependiendo del contexto real, esto va desde el robo de secretos hasta el secuestro de cuentas o incluso una ejecución de código, por ejemplo en aplicaciones de escritorio. Las aplicaciones basadas en la web son las más afectadas. Dado que el formato SVG permite enlaces clicables en los diagramas, es comúnmente usado en plugins para proyectos basados en la web (como el plugin de Confluence, etc. vea https://plantuml.com/de/running)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-04-04 CVE Reserved
- 2022-04-15 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604 | 2024-08-02 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Plantuml Search vendor "Plantuml" | Plantuml Search vendor "Plantuml" for product "Plantuml" | < 1.2022.4 Search vendor "Plantuml" for product "Plantuml" and version " < 1.2022.4" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||