プラットフォーム
other
コンポーネント
docs
修正版
unspecified
1.9.1
CVE-2022-22115 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting Teedy, a tag management system. This vulnerability allows an attacker to inject malicious scripts into the name of a created Tag, which can be exploited to steal session IDs and escalate privileges. Versions 1.5 through 1.9 are vulnerable. A fix is available via upgrade to a patched version.
The XSS vulnerability in Teedy allows attackers to inject arbitrary JavaScript code into the Tag name field. This code is then executed in the context of any user who views the Tag, including administrators. Successful exploitation can lead to session hijacking, allowing the attacker to impersonate the administrator and gain full control of the system. The impact is particularly severe because the attacker does not need to authenticate as an administrator to inject the malicious script; only the ability to create a Tag is required. This could lead to data breaches, system compromise, and further lateral movement within the network.
CVE-2022-22115 was publicly disclosed on January 10, 2022. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a potential target. No KEV listing is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Organizations using Teedy for tag management, particularly those with administrator accounts that frequently interact with the system, are at risk. Shared hosting environments where multiple users share the same Teedy instance are also particularly vulnerable, as an attacker could potentially compromise the entire hosting environment through this vulnerability.
• generic web:
curl -I <teedy_url>/edit_tag.php?tag_name='<script>alert(1)</script>• generic web:
grep -r '<script>' /var/log/apache2/access.log• generic web:
grep -r 'alert(' /var/log/apache2/error.logdisclosure
エクスプロイト状況
EPSS
0.37% (59% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2022-22115 is to upgrade Teedy to a patched version. If upgrading immediately is not possible, consider implementing input validation and output encoding on the Tag name field to sanitize user-supplied data. While not a complete solution, this can reduce the risk of successful exploitation. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review Teedy configurations to ensure proper security settings are in place.
Actualice Teedy a una versión posterior a la 1.9. Esto solucionará la vulnerabilidad XSS almacenada en los nombres de las etiquetas. Asegúrese de que la nueva versión implemente un saneamiento adecuado de las entradas del usuario.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2022-22115 is a critical Stored Cross-Site Scripting (XSS) vulnerability in Teedy versions 1.5 through 1.9, allowing attackers to inject malicious scripts into Tag names.
If you are using Teedy versions 1.5, 1.6, 1.7, 1.8, or 1.9, you are vulnerable to this XSS attack.
The recommended fix is to upgrade Teedy to a patched version that addresses this vulnerability. Check the Teedy website for the latest version.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity makes it a potential target for attackers.
Refer to the Teedy project website or security mailing lists for official advisories and updates regarding this vulnerability.