CVE-2022-2256
Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
Se ha encontrado una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en keycloak tal y como es suministrado en Red Hat Single Sign-On versiĆ³n 7. Este fallo permite a un atacante privilegiado ejecutar scripts maliciosos en la consola de administraciĆ³n, abusando de la funcionalidad de los roles por defecto
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in the file Block.php in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-06-29 CVE Reserved
- 2022-07-05 CVE Published
- 2024-03-24 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49 | Broken Link |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2101942 | 2022-10-04 | |
https://access.redhat.com/security/cve/CVE-2022-2256 | 2022-10-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0" | - |
Affected
|