CVE-2022-25620 - OpenCVE

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Profelis	Sambabox

Configuration 1 [-]

cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*

References

Link	Resource
https://www.sambabox.io/sambabox-surum-4-0/	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Profelis

Published: 2022-03-30T14:55:11

Updated: 2022-03-30T14:55:11

Reserved: 2022-02-21T00:00:00

Link: CVE-2022-25620

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-30T15:15:08.377

Modified: 2022-04-07T16:25:41.173

Link: CVE-2022-25620

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"platforms": ["x86"], "product": "SambaBox", "vendor": "Profelis IT Consultancy", "versions": [{"lessThanOrEqual": "4.0", "status": "affected", "version": "4.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Volkan Erciyas"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-30T14:55:11", "orgId": "3039e14d-1e9f-46c2-98a6-44436e4ca5d5", "shortName": "Profelis"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.sambabox.io/sambabox-surum-4-0/"}], "solutions": [{"lang": "en", "value": "Upgrade SambaBox to 4.1"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored Cross-Site Scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@profelis.com.tr", "ID": "CVE-2022-25620", "STATE": "PUBLIC", "TITLE": "Stored Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SambaBox", "version": {"version_data": [{"platform": "x86", "version_affected": "<=", "version_name": "4.0", "version_value": "4.0"}]}}]}, "vendor_name": "Profelis IT Consultancy"}]}}, "credit": [{"lang": "eng", "value": "Volkan Erciyas"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.sambabox.io/sambabox-surum-4-0/", "refsource": "CONFIRM", "url": "https://www.sambabox.io/sambabox-surum-4-0/"}]}, "solution": [{"lang": "en", "value": "Upgrade SambaBox to 4.1"}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "3039e14d-1e9f-46c2-98a6-44436e4ca5d5", "assignerShortName": "Profelis", "cveId": "CVE-2022-25620", "datePublished": "2022-03-30T14:55:11", "dateReserved": "2022-02-21T00:00:00", "dateUpdated": "2022-03-30T14:55:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*", "matchCriteriaId": "72B249F6-F5DA-4809-AF06-D5071D3A04D3", "versionEndIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."}, {"lang": "es", "value": "Una vulnerabilidad de Neutralizaci\u00f3n inapropiada de las etiquetas HTML relacionadas con los scripts en una p\u00e1gina web (XSS b\u00e1sico) en la funcionalidad Group de Profelis IT Consultancy SambaBox permite al usuario AUTENTICADO causar la ejecuci\u00f3n de c\u00f3digos arbitrarios en el servidor vulnerable. Este problema afecta a: Profelis IT Consultancy SambaBox versi\u00f3n 4.0 versiones 4.0 y anteriores en x86"}], "id": "CVE-2022-25620", "lastModified": "2022-04-07T16:25:41.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.4, "source": "cve@profelis.com.tr", "type": "Secondary"}]}, "published": "2022-03-30T15:15:08.377", "references": [{"source": "cve@profelis.com.tr", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.sambabox.io/sambabox-surum-4-0/"}], "sourceIdentifier": "cve@profelis.com.tr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-80"}], "source": "cve@profelis.com.tr", "type": "Secondary"}]}