Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.
References
Link | Resource |
---|---|
https://fossil-scm.org/home/doc/trunk/www/changes.wiki | Vendor Advisory |
https://gainsec.com/2022/07/27/cve-2022-34009/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
08 Aug 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-79 |
Information
Published : 2022-07-28 00:15
Updated : 2024-02-28 19:29
NVD link : CVE-2022-34009
Mitre link : CVE-2022-34009
CVE.ORG link : CVE-2022-34009
JSON object : View
Products Affected
microsoft
- windows
fossil-scm
- fossil
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')