CVE-2022-46165

Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. As a result the webUI may be subject to a stored cross site scripting attack. This issue has been addressed in version 1.23.5. Users are advised to upgrade. Users unable to upgrade should avoid sharing folders with untrusted users.
Configurations

Configuration 1 (hide)

cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:30

Type Values Removed Values Added
References () https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 - Patch () https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 - Patch
References () https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h - Exploit, Vendor Advisory () https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h - Exploit, Vendor Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRYGBFJPVBW6PPTETNIBWQJE4HJSA5PJ/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRYGBFJPVBW6PPTETNIBWQJE4HJSA5PJ/ -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEBWSQVGHSTR4ZO7LVVEMPEGMV2DS5XR/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEBWSQVGHSTR4ZO7LVVEMPEGMV2DS5XR/ -
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 4.6

16 Jun 2023, 04:15

Type Values Removed Values Added
References
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEBWSQVGHSTR4ZO7LVVEMPEGMV2DS5XR/ -
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRYGBFJPVBW6PPTETNIBWQJE4HJSA5PJ/ -

13 Jun 2023, 16:26

Type Values Removed Values Added
First Time Syncthing syncthing
Syncthing
References (MISC) https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 - (MISC) https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 - Patch
References (MISC) https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h - (MISC) https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*

06 Jun 2023, 18:33

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-06 18:15

Updated : 2024-11-21 07:30


NVD link : CVE-2022-46165

Mitre link : CVE-2022-46165

CVE.ORG link : CVE-2022-46165


JSON object : View

Products Affected

syncthing

  • syncthing
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')