Scan free
CRITICALCVE-2022-22114CVSS 9.6

CVE-2022-22114: XSS in Teedy Vulnerability

Platform

other

Component

docs

Fixed in

unspecified

1.9.1

AI Confidence: highNVDEPSS 2.0%Reviewed: May 2026
View on NVD
Save

CVE-2022-22114 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting Teedy versions 1.5 through 1.9. This vulnerability allows attackers to inject arbitrary scripts into a victim's browser via the 'search term' functionality. Successful exploitation could result in account takeover, particularly targeting administrators with high privileges, highlighting the severity of this issue.

Impact and Attack Scenarios

The primary impact of CVE-2022-22114 is the potential for account takeover. An attacker can craft a malicious URL containing a JavaScript payload within the search term. When a user, especially an administrator, clicks this link, the script executes in their browser context. This allows the attacker to steal session cookies, inject malicious content, or perform actions on behalf of the victim. Given the potential for administrator accounts to be compromised, the blast radius of this vulnerability is significant, potentially impacting the entire system and its data. This vulnerability shares similarities with other XSS attacks where user input is not properly validated before being displayed, leading to code execution.

Exploitation Context

CVE-2022-22114 was publicly disclosed on January 10, 2022. While no active exploitation campaigns are currently confirmed, the ease of exploitation and the potential for significant impact make it a high-priority vulnerability. There are currently no known public proof-of-concept exploits, but the vulnerability's nature suggests that such exploits could be developed relatively easily. It is not listed on the CISA KEV catalog at the time of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

2.05% (84% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H9.6CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdocs
Vendorsismics
Affected rangeFixed in
v1.5 – unspecifiedunspecified
unspecified – v1.91.9.1

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 1595 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2022-22114 is to upgrade Teedy to a patched version. Since a fixed version is not specified, thoroughly review the vendor's advisory for the latest release. As a temporary workaround, implement strict input validation and output encoding on the 'search term' functionality. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly scan your Teedy installation for vulnerabilities using automated security tools.

How to fix

Actualice Teedy a una versión posterior a la 1.9. La vulnerabilidad se corrige en el commit 4951229576d6892dc58ab8c572e73639ca82d80c. Consulte las notas de la versión para obtener más detalles.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-22114 — XSS in Teedy?

CVE-2022-22114 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in Teedy versions 1.5 through 1.9, allowing attackers to inject malicious scripts.

Am I affected by CVE-2022-22114 in Teedy?

If you are using Teedy versions 1.5, 1.6, 1.7, 1.8, or 1.9, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.

How do I fix CVE-2022-22114 in Teedy?

The recommended fix is to upgrade Teedy to a patched version. Consult the vendor's advisory for the latest release and instructions.

Is CVE-2022-22114 being actively exploited?

While no active exploitation campaigns are currently confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.

Where can I find the official Teedy advisory for CVE-2022-22114?

Refer to the vendor's official advisory for detailed information and updates regarding CVE-2022-22114. (Note: a direct link was not provided in the input data.)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs