CVE-2022-3895 (GCVE-0-2022-3895)
Vulnerability from cvelistv5 – Published: 2022-11-15 14:24 – Updated: 2025-04-29 18:12
VLAI?
Title
Potential XSS in common user interface component library
Summary
Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).
Severity ?
4 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | Common User Interface Component |
Affected:
3 , < 3.0.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T18:11:00.732213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T18:12:08.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Common User Interface Component",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later."
}
],
"source": {
"advisory": "BSSA-2022-08",
"discovery": "INTERNAL"
},
"title": "Potential XSS in common user interface component library",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-3895",
"datePublished": "2022-11-15T14:24:49.235Z",
"dateReserved": "2022-11-08T00:00:00.000Z",
"dateUpdated": "2025-04-29T18:12:08.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-3895\",\"sourceIdentifier\":\"security@bluespice.com\",\"published\":\"2022-11-15T15:15:12.167\",\"lastModified\":\"2024-11-21T07:20:29.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).\"},{\"lang\":\"es\",\"value\":\"Algunos elementos de la interfaz de usuario del componente de interfaz de usuario com\u00fan no sanitizan adecuadamente la salida y, por lo tanto, son propensos a generar HTML arbitrario (XSS).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@bluespice.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@bluespice.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.1.0\",\"versionEndExcluding\":\"4.2.1\",\"matchCriteriaId\":\"696F93D5-AB35-4EA3-AEDB-9C868E94ED6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hallowelt:common_user_interface:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.5\",\"matchCriteriaId\":\"0CDC405B-9837-4BCD-80EA-8CCE45E1B223\"}]}]}],\"references\":[{\"url\":\"https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08\",\"source\":\"security@bluespice.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:20:58.454Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-3895\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-29T18:11:00.732213Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-29T18:11:07.463Z\"}}], \"cna\": {\"title\": \"Potential XSS in common user interface component library\", \"source\": {\"advisory\": \"BSSA-2022-08\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Hallo Welt! GmbH\", \"product\": \"Common User Interface Component\", \"versions\": [{\"status\": \"affected\", \"version\": \"3\", \"lessThan\": \"3.0.5\", \"versionType\": \"custom\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later.\"}], \"datePublic\": \"2022-11-15T00:00:00.000Z\", \"references\": [{\"url\": \"https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Cross-site Scripting (XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"ff95705b-1a40-4639-8017-a58fa868baee\", \"shortName\": \"HW\", \"dateUpdated\": \"2022-11-15T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-3895\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-29T18:12:08.089Z\", \"dateReserved\": \"2022-11-08T00:00:00.000Z\", \"assignerOrgId\": \"ff95705b-1a40-4639-8017-a58fa868baee\", \"datePublished\": \"2022-11-15T14:24:49.235Z\", \"assignerShortName\": \"HW\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…