平台
php
组件
organizr
修复版本
2.1.1810
CVE-2022-1347 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in Organizr, a self-hosted organizational chart tool. This vulnerability allows attackers to inject malicious scripts into the "Username" and "Email" input fields, potentially leading to account takeover of administrator and co-administrator users. The vulnerability affects versions of Organizr prior to 2.1.1810, and a patch has been released to address the issue.
The impact of CVE-2022-1347 is severe due to the potential for complete account takeover. An attacker exploiting this vulnerability can inject arbitrary JavaScript code into the application, which will then be executed in the context of a user's browser when they view the affected page. Specifically, the vulnerability targets administrator and co-administrator accounts, granting an attacker full control over the Organizr instance. This could allow them to modify organizational charts, access sensitive data, and potentially compromise other systems connected to the Organizr server. The ease of exploitation, combined with the high privileges at risk, makes this a significant threat.
CVE-2022-1347 was publicly disclosed on April 13, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the ease of exploitation and the potential for significant impact make it a likely target. There are publicly available proof-of-concept (POC) exploits demonstrating the vulnerability. It is recommended to prioritize remediation to prevent potential compromise.
Organizations using self-hosted instances of Organizr, particularly those with administrator or co-administrator accounts that are not adequately protected by multi-factor authentication, are at significant risk. Shared hosting environments where multiple users share the same server and database are also particularly vulnerable, as a compromise of one user could potentially lead to the compromise of others.
• php / web:
curl -I 'http://your-organizr-instance/admin/users/create?username=<script>alert(1)</script>' | grep -i 'content-type'• generic web:
curl -I 'http://your-organizr-instance/admin/users/create?username=<script>alert(1)</script>' | grep -i 'set-cookie'• generic web:
grep -r '<script>' /var/www/html/organizr/*disclosure
patch
漏洞利用状态
EPSS
0.46% (64% 百分位)
CVSS 向量
The primary mitigation for CVE-2022-1347 is to upgrade Organizr to version 2.1.1810 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and sanitization on the "Username" and "Email" fields to prevent the injection of malicious scripts. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads targeting these fields can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the "Username" or "Email" fields and confirming that the script is not executed.
Actualice Organizr a la versión 2.1.1810 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en los campos 'Username' y 'Email', previniendo la posible toma de control de cuentas de administradores y co-administradores.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2022-1347 is a critical stored XSS vulnerability in Organizr versions prior to 2.1.1810, allowing attackers to inject malicious scripts via the 'Username' and 'Email' fields.
You are affected if you are running Organizr version 2.1.1810 or earlier. Check your version and upgrade immediately if vulnerable.
Upgrade Organizr to version 2.1.1810 or later to patch the vulnerability. Consider input validation as a temporary workaround.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation makes it a potential target. Proactive remediation is recommended.
Refer to the official Organizr GitHub repository for updates and security advisories: https://github.com/causefx/organizr