CVE-2022-39020

Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.themissinglink.com.au/security-advisories/cve-2022-39020	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:schoolbox:schoolbox:21.0.2:*:*:*:*:*:*:*

History

25 Oct 2023, 18:17

Type	Values Removed	Values Added
Summary	Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.	Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.

Information

Published : 2022-10-31 21:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39020

Mitre link : CVE-2022-39020

CVE.ORG link : CVE-2022-39020

JSON object : View

Products Affected

schoolbox

schoolbox

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-39020", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "vdp@themissinglink.com.au", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2022-10-31T21:15:12.250", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020", "tags": ["Third Party Advisory"], "source": "vdp@themissinglink.com.au"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "vdp@themissinglink.com.au", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "\nMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\n\n"}, {"lang": "es", "value": "Se encontraron varias instancias de Cross Site-Scripting XSS (stored y reflejadas) en la aplicaci\u00f3n. Por ejemplo, se descubri\u00f3 que funciones como el env\u00edo de evaluaciones de los estudiantes, la carga de archivos, las noticias, el portafolio electr\u00f3nico y la creaci\u00f3n de eventos de calendario eran vulnerables a Cross-Site Scripting.\n"}], "lastModified": "2023-10-25T18:17:15.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:schoolbox:schoolbox:21.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D46F4619-A324-4FF3-996A-FCE9070CFFDF"}], "operator": "OR"}]}], "sourceIdentifier": "vdp@themissinglink.com.au"}