CVE-2022-46332

The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface. This affects all versions 8.19.0 and below.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002	Vendor Advisory
https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:proofpoint:enterprise_protection:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:30

Type	Values Removed	Values Added
References	~~() https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002 - Vendor Advisory~~	() https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002 - Vendor Advisory

07 Nov 2023, 03:55

Type	Values Removed	Values Added
Summary	The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface. This affects all versions 8.19.0 and below.	The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface. This affects all versions 8.19.0 and below.

Information

Published : 2022-12-06 20:15

Updated : 2024-11-21 07:30

NVD link : CVE-2022-46332

Mitre link : CVE-2022-46332

CVE.ORG link : CVE-2022-46332

JSON object : View

Products Affected

proofpoint

enterprise_protection

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-46332", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@proofpoint.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2022-12-06T20:15:10.610", "references": [{"url": "https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002", "tags": ["Vendor Advisory"], "source": "security@proofpoint.com"}, {"url": "https://www.proofpoint.com/security/security-advisories/pfpt-sa-2022-0002", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@proofpoint.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface. This affects all versions 8.19.0 and below.\n\n"}, {"lang": "es", "value": "La funci\u00f3n Admin Smart Search en Proofpoint Enterprise Protection (PPS/PoD) contiene una vulnerabilidad de cross-site scripting almacenado que permite a un remitente de correo electr\u00f3nico an\u00f3nimo obtener privilegios de administrador dentro de la interfaz de usuario. Esto afecta a todas las versiones 8.19.0 y anteriores."}], "lastModified": "2024-11-21T07:30:24.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:proofpoint:enterprise_protection:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8989910-63F8-4E56-AC31-F2FF3FAB1991", "versionEndIncluding": "8.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@proofpoint.com"}