An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. Injection of a malicious payload within the RelayState= parameter of the HTTP request body results in the hijacking of the form action. Form-action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server.
References
Link | Resource |
---|---|
https://github.com/l00neyhacker/CVE-2022-26156 | Third Party Advisory |
https://help.cherwell.com/bundle/release_notes_10_4_help_only/page/content/release_notes/10_4_0_fix_list.html | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-02-28T15:24:00
Updated: 2022-02-28T15:24:00
Reserved: 2022-02-28T00:00:00
Link: CVE-2022-26156
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-02-28T16:15:08.120
Modified: 2022-03-08T18:15:24.500
Link: CVE-2022-26156
JSON object: View
Redhat Information
No data.
CWE