| Mitre ID |
CVE-2024-22119 |
| CVSS score |
5.5 |
| CVSS vector |
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
| Severity |
Medium |
| Summary |
Stored XSS in graph items select form |
| Description |
The cause of vulnerability is improper validation of input field called Name on Graph page in Items section. |
| Common Weakness Enumeration (CWE) |
CWE-20 Improper Input Validation |
| Common Attack Pattern Enumeration and Classification (CAPEC) |
CAPEC-592 Stored XSS |
| Known attack vectors |
Malicious code can be entered into Graph items Name field and can be executed when user clicks on current graph item name link. |
| Details |
Steps to reproduce:
1) Create item with name - <img src="x" onerror="alert('UWAGA');"/>
2) Create graph and add created item to items list.
3) Save graph.
4) Open created graph again and click on added item. |
| Scope of changes (mini spec for internal use) |
The additional string conversion function htmlspecialchars() was added that will convert special characters to HTML entities. |
| Patch provided |
No |
| Component/s |
Frontend |
| Affected and fixed version/s |
5.0.0 - 5.0.39 / 5.0.40rc1
6.0.0 - 6.0.23 / 6.0.24rc1
6.4.0 - 6.4.8 / 6.4.9rc1
7.0.0alpha1 - 7.0.0alpha7 / 7.0.0alpha8 |
| Fix compatibility tests |
- |
| Resolution |
Fixed |
| Workarounds |
- |
| Acknowledgements |
- |
image-2023-11-22-12-09-52-393.png
Team C
