Vulnerability-Lookup

GHSA-G84V-6FGF-JW3G

Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-04 00:00

Details

SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-22791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SYNEL - eharmony Authenticated Blind \u0026 Stored XSS. Inject JS code into the \"comments\" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system.",
  "id": "GHSA-g84v-6fgf-jw3g",
  "modified": "2022-02-04T00:00:38Z",
  "published": "2022-01-29T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22791"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-22791 (GCVE-0-2022-22791)

Vulnerability from cvelistv5 – Published: 2022-01-28 19:09 – Updated: 2024-08-03 03:21

Title

SYNEL - eharmony Authenticated Blind & Stored XSS

Summary

SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system.

Severity ?

6.6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE

Assigner

INCD

References

URL

Tags

https://www.gov.il/en/departments/faq/cve_advisories

x_refsource_MISC

Credits

Moriel Harush - Sophtix Security LTD

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:49.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.gov.il/en/departments/faq/cve_advisories"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Moriel Harush - Sophtix Security LTD"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SYNEL - eharmony Authenticated Blind \u0026 Stored XSS. Inject JS code into the \"comments\" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-28T19:09:52",
        "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
        "shortName": "INCD"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.gov.il/en/departments/faq/cve_advisories"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "A patch was released, Update to eharmony version 11 "
        }
      ],
      "source": {
        "advisory": "ILVN-2022-0012",
        "defect": [
          "ILVN-2022-0012"
        ],
        "discovery": "INTERNAL"
      },
      "title": "SYNEL - eharmony Authenticated Blind \u0026 Stored XSS",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "INCD",
          "ASSIGNER": "cna@cyber.gov.il",
          "ID": "CVE-2022-22791",
          "STATE": "PUBLIC",
          "TITLE": "SYNEL - eharmony Authenticated Blind \u0026 Stored XSS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Moriel Harush - Sophtix Security LTD"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SYNEL - eharmony Authenticated Blind \u0026 Stored XSS. Inject JS code into the \"comments\" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.gov.il/en/departments/faq/cve_advisories",
              "refsource": "MISC",
              "url": "https://www.gov.il/en/departments/faq/cve_advisories"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "A patch was released, Update to eharmony version 11 "
          }
        ],
        "source": {
          "advisory": "ILVN-2022-0012",
          "defect": [
            "ILVN-2022-0012"
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
    "assignerShortName": "INCD",
    "cveId": "CVE-2022-22791",
    "datePublished": "2022-01-28T19:09:52",
    "dateReserved": "2022-01-07T00:00:00",
    "dateUpdated": "2024-08-03T03:21:49.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-G84V-6FGF-JW3G

CVE-2022-22791 (GCVE-0-2022-22791)

Tags

Sightings

Nomenclature