Platform
other
Component
organizr
Fixed in
2.1.1810
CVE-2022-1345 is a stored Cross-Site Scripting (XSS) vulnerability affecting Organizr versions 2.1.1810 and earlier. An attacker can exploit this flaw by uploading a specially crafted .svg file to the GitHub repository causefx/organizr, leading to the execution of malicious scripts within a user's browser. This vulnerability poses a significant risk of session hijacking and sensitive data exposure. The vulnerability was published on April 13, 2022, and a fix is available in version 2.1.1810.
The impact of CVE-2022-1345 is severe due to the nature of XSS vulnerabilities. Successful exploitation allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This code can then be used to steal session cookies, redirect users to malicious websites, or deface the application. The attacker could potentially gain complete control over the affected user's account, accessing sensitive data and performing actions on their behalf. Given the vulnerability's location within a GitHub repository, it could potentially impact a wide range of users who utilize or integrate Organizr into their workflows. The ease of uploading files makes this a relatively low-skill attack.
CVE-2022-1345 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, indicating a moderate probability of exploitation. The vulnerability's ease of exploitation and the potential for widespread impact make it a concerning risk. The vulnerability was publicly disclosed on April 13, 2022.
Exploit Status
EPSS
0.33% (56% percentile)
CVSS Vector
The primary mitigation for CVE-2022-1345 is to immediately upgrade Organizr to version 2.1.1810 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing strict file upload validation to prevent the upload of .svg files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious SVG content. Regularly scan the GitHub repository for unauthorized file uploads and monitor user activity for signs of malicious script execution. After upgrading, verify the fix by attempting to upload a known malicious SVG file and confirming that the script execution is blocked.
Update Organizr to version 2.1.1810 or higher. This version contains a fix for the stored XSS vulnerability when uploading .svg files. The update will prevent the execution of malicious scripts in the user's browser.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-1345 is a stored XSS vulnerability in Organizr versions up to 2.1.1810. It allows attackers to execute malicious scripts by uploading .svg files, potentially leading to session hijacking and data exposure.
If you are using Organizr version 2.1.1810 or earlier, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade Organizr to version 2.1.1810 or later to remediate the vulnerability. Implement file upload validation as an interim measure.
Public proof-of-concept exploits are available, suggesting a moderate probability of active exploitation. Monitor your systems for suspicious activity.
Refer to the Organizr GitHub repository for updates and advisories related to CVE-2022-1345: https://github.com/causefx/organizr
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.