CVE-2022-39824

{"id": "CVE-2022-39824", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2022-09-05T03:15:07.627", "references": [{"url": "https://github.com/FCncdn/Appsmith-Js-Injection-POC", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/appsmithorg/appsmith/releases", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak."}, {"lang": "es", "value": "Una inyecci\u00f3n de JavaScript del lado del servidor en Appsmith versiones hasta 1.7.14, permite a atacantes remotos ejecutar c\u00f3digo JavaScript arbitrario desde el servidor por medio de la propiedad currentItem del widget de la lista, por ejemplo, para llevar a cabo ataques de DoS o lograr un filtrado de informaci\u00f3n"}], "lastModified": "2022-09-09T16:47:57.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AE450C4-5F32-45B0-A7A3-E801D04A0273", "versionEndIncluding": "1.7.14"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}