Plataforma
java
Componente
carbon-registry
Corrigido em
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
CVE-2022-4521 is a cross-site scripting (XSS) vulnerability affecting WSO2 Carbon Registry versions 4.8.0 through 4.8.6. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The issue stems from improper handling of the parentPath/path/username/path/profile_menu request parameter. A fix is available in version 4.8.7.
Successful exploitation of CVE-2022-4521 allows an attacker to inject arbitrary JavaScript code into the Carbon Registry application. This can lead to various malicious actions, including stealing user session cookies, redirecting users to phishing sites, or defacing the application's interface. The impact is particularly severe if the Carbon Registry is used to manage sensitive data or control access to critical systems. An attacker could potentially gain unauthorized access to resources and perform actions on behalf of legitimate users. While the CVSS score is LOW, the potential for user compromise and data theft warrants immediate attention.
CVE-2022-4521 was disclosed publicly on December 15, 2022. There is no indication of active exploitation at this time, nor is it listed on CISA KEV. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit. The LOW CVSS score reflects the limited attack complexity and scope.
Organizations using WSO2 Carbon Registry for identity and access management, particularly those running versions 4.8.0 through 4.8.6, are at risk. Environments where Carbon Registry is exposed directly to the internet or integrated with other critical systems are at higher risk. Shared hosting environments utilizing Carbon Registry are also vulnerable.
• linux / server: Monitor Carbon Registry logs for unusual activity related to the parentPath/path/username/path/profile_menu parameter. Use journalctl -f to observe real-time log entries.
• generic web: Use curl to test the affected endpoint with various payloads containing <script> tags. Example: curl 'http://your-carbon-registry/path?parentPath/path/username/path/profile_menu=<script>alert(1)</script>'
• database (mysql): If Carbon Registry uses a database, check for suspicious entries in the user profiles table that might indicate a successful XSS attack.
disclosure
Status do Exploit
EPSS
0.27% (percentil 51%)
Vetor CVSS
The primary mitigation for CVE-2022-4521 is to upgrade WSO2 Carbon Registry to version 4.8.7 or later, which includes the necessary fix (patch 9f967abfde9317bee2cda469dbc09b57d539f2cc). If upgrading is not immediately feasible, consider implementing input validation and sanitization on the parentPath/path/username/path/profile_menu parameter to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the vulnerable parameter and confirming that it is properly sanitized.
Actualice el componente carbon-registry a la versión 4.8.7 o posterior. Esto solucionará la vulnerabilidad de cross-site scripting. Puede encontrar la actualización en el repositorio oficial de WSO2.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-4521 is a cross-site scripting (XSS) vulnerability in WSO2 Carbon Registry versions 4.8.0 through 4.8.6, allowing attackers to inject malicious scripts.
If you are running WSO2 Carbon Registry versions 4.8.0 through 4.8.6, you are potentially affected by this vulnerability.
Upgrade WSO2 Carbon Registry to version 4.8.7 or later to address the vulnerability. Apply patch 9f967abfde9317bee2cda469dbc09b57d539f2cc.
There is currently no evidence of active exploitation of CVE-2022-4521.
Refer to the WSO2 security advisory for detailed information and updates: [https://nvd.nist.gov/vuln/detail/CVE-2022-4521](https://nvd.nist.gov/vuln/detail/CVE-2022-4521)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.