प्लेटफ़ॉर्म
other
घटक
organizr
में ठीक किया गया
2.1.1810
CVE-2022-1345 is a stored Cross-Site Scripting (XSS) vulnerability affecting Organizr versions 2.1.1810 and earlier. An attacker can exploit this flaw by uploading a specially crafted .svg file to the GitHub repository causefx/organizr, leading to the execution of malicious scripts within a user's browser. This vulnerability poses a significant risk of session hijacking and sensitive data exposure. The vulnerability was published on April 13, 2022, and a fix is available in version 2.1.1810.
The impact of CVE-2022-1345 is severe due to the nature of XSS vulnerabilities. Successful exploitation allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This code can then be used to steal session cookies, redirect users to malicious websites, or deface the application. The attacker could potentially gain complete control over the affected user's account, accessing sensitive data and performing actions on their behalf. Given the vulnerability's location within a GitHub repository, it could potentially impact a wide range of users who utilize or integrate Organizr into their workflows. The ease of uploading files makes this a relatively low-skill attack.
CVE-2022-1345 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, indicating a moderate probability of exploitation. The vulnerability's ease of exploitation and the potential for widespread impact make it a concerning risk. The vulnerability was publicly disclosed on April 13, 2022.
Organizations and individuals utilizing Organizr in their workflows, particularly those who rely on the application for data management or collaboration, are at risk. This includes developers, project managers, and anyone who interacts with the GitHub repository. Shared hosting environments where multiple users have upload privileges are particularly vulnerable.
• other / generic web:
curl -I 'https://your-organizr-instance/path/to/uploaded_file.svg' | grep -i 'content-security-policy'• generic web:
grep -r '<script>' /var/log/apache2/access.log• generic web:
grep -r '<script>' /var/log/nginx/error.logdisclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.33% (56% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2022-1345 is to immediately upgrade Organizr to version 2.1.1810 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing strict file upload validation to prevent the upload of .svg files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious SVG content. Regularly scan the GitHub repository for unauthorized file uploads and monitor user activity for signs of malicious script execution. After upgrading, verify the fix by attempting to upload a known malicious SVG file and confirming that the script execution is blocked.
Actualice Organizr a la versión 2.1.1810 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada al subir archivos .svg. La actualización evitará la ejecución de scripts maliciosos en el navegador del usuario.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2022-1345 is a stored XSS vulnerability in Organizr versions up to 2.1.1810. It allows attackers to execute malicious scripts by uploading .svg files, potentially leading to session hijacking and data exposure.
If you are using Organizr version 2.1.1810 or earlier, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade Organizr to version 2.1.1810 or later to remediate the vulnerability. Implement file upload validation as an interim measure.
Public proof-of-concept exploits are available, suggesting a moderate probability of active exploitation. Monitor your systems for suspicious activity.
Refer to the Organizr GitHub repository for updates and advisories related to CVE-2022-1345: https://github.com/causefx/organizr
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।