CVE-2022-25873 - OpenCVE

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Vuetifyjs	Vuetify

Configuration 1 [-]

OR	cpe:2.3:a:vuetifyjs:vuetify::::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta4::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta5::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta6::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta7::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta8::::::
	cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta9::::::

References

Link	Resource
https://codepen.io/5v3n-08/pen/MWGKEjY	Exploit Third Party Advisory
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176	Patch Third Party Advisory
https://github.com/vuetifyjs/vuetify/issues/15757	Issue Tracking Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407	Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406	Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-09-18T00:00:00

Updated: 2022-09-18T14:55:10

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25873

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-18T15:15:09.660

Modified: 2022-09-21T12:49:39.937

Link: CVE-2022-25873

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "vuetify", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.0.0-beta.4", "versionType": "custom"}, {"lessThan": "2.6.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "5v3n-08"}], "datePublic": "2022-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 4.4, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-18T14:55:10", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858"}, {"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406"}, {"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vuetifyjs/vuetify/issues/15757"}, {"tags": ["x_refsource_MISC"], "url": "https://codepen.io/5v3n-08/pen/MWGKEjY"}], "title": "Cross-site Scripting (XSS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-09-18T14:50:12.470750Z", "ID": "CVE-2022-25873", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "vuetify", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.0.0-beta.4"}, {"version_affected": "<", "version_value": "2.6.10"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "5v3n-08"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858"}, {"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406"}, {"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407"}, {"name": "https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176", "refsource": "MISC", "url": "https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176"}, {"name": "https://github.com/vuetifyjs/vuetify/issues/15757", "refsource": "MISC", "url": "https://github.com/vuetifyjs/vuetify/issues/15757"}, {"name": "https://codepen.io/5v3n-08/pen/MWGKEjY", "refsource": "MISC", "url": "https://codepen.io/5v3n-08/pen/MWGKEjY"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25873", "datePublished": "2022-09-18T00:00:00", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2022-09-18T14:55:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vuetifyjs:vuetify:*:*:*:*:*:*:*:*", "matchCriteriaId": "5717CAE6-B23D-4EE0-88A8-5A98FF6D68E2", "versionEndExcluding": "2.6.10", "versionStartIncluding": "2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "C8EA2D38-E38D-4913-82FF-949BD4358B6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "3B9DD644-5DC7-4297-B2B7-318242E112AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "2BF63ECA-F9A5-4269-ACF1-717401F5A6FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "6C2F172F-EB66-4864-8D7A-F15BDFCBD84D", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "ADE7EEE9-F3C0-46E7-87BD-1BEB43B73945", "vulnerable": true}, {"criteria": "cpe:2.3:a:vuetifyjs:vuetify:2.0.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "2E21A173-87E5-4F49-A9A4-5018664D3576", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component."}, {"lang": "es", "value": "El paquete vuetify a partir de la versi\u00f3n 2.0.0-beta.4 anteriores a 2.6.10 es vulnerable a un ataque de tipo Cross-site Scripting (XSS) debido a una saneo inapropiado de la entrada en la funci\u00f3n \"eventName\" dentro del componente VCalendar"}], "id": "CVE-2022-25873", "lastModified": "2022-09-21T12:49:39.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-09-18T15:15:09.660", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codepen.io/5v3n-08/pen/MWGKEjY"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/vuetifyjs/vuetify/issues/15757"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}