Plataforma
other
Componente
appwrite/appwrite
Corrigido em
1.0.0-RC1
CVE-2022-2925 is a stored Cross-Site Scripting (XSS) vulnerability discovered in the Appwrite GitHub repository prior to version 1.0.0-RC1. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized access and data compromise. Affected versions include those prior to 1.0.0-RC1, and a fix is available in version 1.0.0-RC1.
The XSS vulnerability in Appwrite allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of other users' browsers, enabling a wide range of malicious activities. An attacker could steal sensitive user data, such as authentication tokens or personal information, redirect users to phishing sites, or even hijack user accounts. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists and can affect multiple users over time. Successful exploitation could lead to complete compromise of the Appwrite instance and its associated data.
CVE-2022-2925 was publicly disclosed on September 9, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the CRITICAL severity and ease of exploitation make it a high-priority target. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and developers using Appwrite versions prior to 1.0.0-RC1 are at risk. This includes those deploying Appwrite in production environments, as well as those using it for development and testing purposes. Shared hosting environments using Appwrite are particularly vulnerable, as they may be more difficult to patch quickly.
disclosure
Status do Exploit
EPSS
0.35% (percentil 57%)
Vetor CVSS
The primary mitigation for CVE-2022-2925 is to immediately upgrade Appwrite to version 1.0.0-RC1 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly review Appwrite configurations and ensure that all security best practices are followed.
Actualice Appwrite a la versión 1.0.0-RC1 o posterior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada. La actualización eliminará la posibilidad de que atacantes inyecten scripts maliciosos en su aplicación.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-2925 is a stored XSS vulnerability in Appwrite versions prior to 1.0.0-RC1, allowing attackers to inject malicious scripts.
Yes, if you are using Appwrite versions equal to or less than 1.0.0-RC1, you are affected by this vulnerability.
Upgrade Appwrite to version 1.0.0-RC1 or later to resolve this vulnerability. Consider input validation as an interim measure.
While no confirmed active exploitation campaigns are known, the CRITICAL severity makes it a high-priority target.
Refer to the Appwrite security advisory for detailed information and updates: [https://appwrite.io/docs/security/vulnerability-disclosure](https://appwrite.io/docs/security/vulnerability-disclosure)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.