Mitre ID |
CVE-2024-22119 |
CVSS score |
5.5 |
CVSS vector |
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Severity |
Medium |
Summary |
Stored XSS in graph items select form |
Description |
The cause of vulnerability is improper validation of input field called Name on Graph page in Items section. |
Common Weakness Enumeration (CWE) |
CWE-20 Improper Input Validation |
Common Attack Pattern Enumeration and Classification (CAPEC) |
CAPEC-592 Stored XSS |
Known attack vectors |
Malicious code can be entered into Graph items Name field and can be executed when user clicks on current graph item name link. |
Details |
Steps to reproduce:
1) Create item with name - <img src="x" onerror="alert('UWAGA');"/>
2) Create graph and add created item to items list.
3) Save graph.
4) Open created graph again and click on added item. |
Scope of changes (mini spec for internal use) |
The additional string conversion function htmlspecialchars() was added that will convert special characters to HTML entities. |
Patch provided |
No |
Component/s |
Frontend |
Affected and fixed version/s |
5.0.0 - 5.0.39 / 5.0.40rc1
6.0.0 - 6.0.23 / 6.0.24rc1
6.4.0 - 6.4.8 / 6.4.9rc1
7.0.0alpha1 - 7.0.0alpha7 / 7.0.0alpha8 |
Fix compatibility tests |
- |
Resolution |
Fixed |
Workarounds |
- |
Acknowledgements |
- |