CVE-2022-34870

Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

Apache Geode versiones hasta 1.15.0, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) por inyección de datos cuando es usada la aplicación web Pulse para ver las entradas de la Región

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-06-30 CVE Reserved
2022-10-25 CVE Published
2024-08-03 CVE Updated
2024-10-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/10/24/3	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/zltlr7f2ymr2m6jj54k4z0c4foos5fwx	2022-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Geode Search vendor "Apache" for product "Geode"				<= 1.15.0 Search vendor "Apache" for product "Geode" and version " <= 1.15.0"		-		Affected