CVE-2022-24692 - OpenCVE

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Dsk	Dsknet

Configuration 1 [-]

OR	cpe:2.3:a:dsk:dsknet:2.16.136.0:::::::*
	cpe:2.3:a:dsk:dsknet:2.17.136.5:::::::*

References

Link	Resource
https://dsk.lu/fr/produits/temps-de-presence	Product
https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-18T12:34:40

Updated: 2022-07-18T12:34:40

Reserved: 2022-02-09T00:00:00

Link: CVE-2022-24692

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-18T13:15:09.900

Modified: 2022-07-27T15:15:46.333

Link: CVE-2022-24692

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-18T12:34:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-24692", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://dsk.lu/fr/produits/temps-de-presence", "refsource": "MISC", "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"name": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf", "refsource": "MISC", "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-24692", "datePublished": "2022-07-18T12:34:40", "dateReserved": "2022-02-09T00:00:00", "dateUpdated": "2022-07-18T12:34:40", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dsk:dsknet:2.16.136.0:*:*:*:*:*:*:*", "matchCriteriaId": "49B0E313-BCD6-47A4-9968-A49FD8E78A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:dsk:dsknet:2.17.136.5:*:*:*:*:*:*:*", "matchCriteriaId": "B31B0D02-2879-422F-8100-2594CA5E82F5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution."}, {"lang": "es", "value": "Se ha detectado un problema en DSK DSKNet versiones 2.16.136.0 y 2.17.136.5. La nueva opci\u00f3n de men\u00fa dentro de la p\u00e1gina de Par\u00e1metros generales es vulnerable a un ataque de tipo XSS almacenado. El atacante puede crear una opci\u00f3n de men\u00fa, hacerla visible para todos los usuarios de la aplicaci\u00f3n y conducir un secuestro de la sesi\u00f3n, una toma de control de la cuenta o una entrega de c\u00f3digo malicioso, con el objetivo final de lograr una ejecuci\u00f3n de c\u00f3digo del lado del cliente"}], "id": "CVE-2022-24692", "lastModified": "2022-07-27T15:15:46.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-18T13:15:09.900", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://dsk.lu/fr/produits/temps-de-presence"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}