CVE-2022-41947

{"id": "CVE-2022-41947", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-12-08T23:15:10.813", "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg", "tags": ["Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints."}, {"lang": "es", "value": "DHIS 2 es un sistema de informaci\u00f3n de c\u00f3digo abierto para captura, gesti\u00f3n, validaci\u00f3n, an\u00e1lisis y visualizaci\u00f3n de datos. A trav\u00e9s de varias funciones de DHIS2, un usuario autenticado puede cargar un archivo que incluye javascript integrado. Luego, el usuario podr\u00eda enga\u00f1ar a otro usuario autenticado para que abra el archivo malicioso en un navegador, lo que activar\u00eda el c\u00f3digo javascript, lo que resultar\u00eda en un ataque de Cross-Site Scripting (XSS). Los administradores de DHIS2 deben actualizar a las siguientes versiones de revisi\u00f3n: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Los usuarios que no puedan actualizar pueden agregar la siguiente regla CSP simple en su proxy web a los endpoints vulnerables: `script-src 'none'`. Esta soluci\u00f3n evitar\u00e1 que todo JavaScript se ejecute en esos endpoints."}], "lastModified": "2024-11-21T07:24:07.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1C27E48-5EE7-4A34-916F-8B701C6BF8E0", "versionEndExcluding": "2.36.12.1", "versionStartIncluding": "2.35.0"}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6BDDC0C-4FFE-474A-827E-978DD52338C7", "versionEndExcluding": "2.37.8.1", "versionStartIncluding": "2.37.0"}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5767431-7751-48F4-8F6F-2D4A6CADABBB", "versionEndExcluding": "2.38.2.1", "versionStartIncluding": "2.38.0"}, {"criteria": "cpe:2.3:a:dhis2:dhis_2:2.39.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2EB62DB-53E9-47D3-8659-392DE9A8351A"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}