Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23081

Date: June 22, 2022

Overview

In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS.

Details

In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS.
An unauthenticated user can craft a link with a malicious JavaScript payload and send it to the admin.
When the admin clicks on the malicious link the XSS will be triggered.

PoC Details

1. Login to the application with an admin user. (usually the URL
will be: http://localhost:8080/)
2. Enter the above payload and watch the messagebox which
includes the admin user sessions cookie.

PoC Code

http://localhost:8080/"><script>alert(document.cookie)</script>

Affected Environments

openlibrary versions deploy-2016-07-0 through deploy-2021-12-22

Prevention

Upgrade to openlibrary version deploy-2022-06-09

Language: Python

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version deploy-2022-06-09

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://www.mend.io/vulnerability-database/CVE-2022-23081
https://nvd.nist.gov/vuln/detail/CVE-2022-23081
https://github.com/internetarchive/openlibrary/pull/6597/commits/5460c8e8b517ef83c6a3b33654ba43ef0cbf051e
https://www.mend.io/vulnerability-database/CVE-2022-23081