GSD-2022-21149
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user's account through the stolen cookie.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-21149",
"description": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie.",
"id": "GSD-2022-21149"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-21149"
],
"details": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie.",
"id": "GSD-2022-21149",
"modified": "2023-12-13T01:19:14.700267Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-05-01T15:25:10.648352Z",
"ID": "CVE-2022-21149",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "s-cart/s-cart",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.9"
}
]
}
}
]
},
"vendor_name": "n/a"
},
{
"product": {
"product_data": [
{
"product_name": "s-cart/core",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Faisal Fs"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035"
},
{
"name": "https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c6.9",
"affected_versions": "All versions before 6.9",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-79",
"CWE-937"
],
"date": "2022-05-23",
"description": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 is vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie.",
"fixed_versions": [
"6.9"
],
"identifier": "CVE-2022-21149",
"identifiers": [
"GHSA-7pfc-cx3m-v22x",
"CVE-2022-21149"
],
"not_impacted": "All versions starting from 6.9",
"package_slug": "packagist/s-cart/core",
"pubdate": "2022-05-03",
"solution": "Upgrade to version 6.9 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-21149",
"https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036",
"https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035",
"https://github.com/advisories/GHSA-7pfc-cx3m-v22x"
],
"uuid": "20c26359-8920-4771-91bd-5bcec26646bc"
},
{
"affected_range": "\u003c6.9",
"affected_versions": "All versions before 6.9",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-79",
"CWE-937"
],
"date": "2022-05-23",
"description": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 is vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie.",
"fixed_versions": [
"6.9"
],
"identifier": "CVE-2022-21149",
"identifiers": [
"GHSA-7pfc-cx3m-v22x",
"CVE-2022-21149"
],
"not_impacted": "All versions starting from 6.9",
"package_slug": "packagist/s-cart/s-cart",
"pubdate": "2022-05-03",
"solution": "Upgrade to version 6.9 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-21149",
"https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036",
"https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035",
"https://github.com/advisories/GHSA-7pfc-cx3m-v22x"
],
"uuid": "04bff5b8-23b2-4fcd-be2a-f02a4579c9c0"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:s-cart:s-cart:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.9.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2022-21149"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The package s-cart/s-cart before 6.9; the package s-cart/core before 6.9 are vulnerable to Cross-site Scripting (XSS) which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user\u0027s account through the stolen cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-PHP-SCARTCORE-2389036"
},
{
"name": "https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-PHP-SCARTSCART-2389035"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5
}
},
"lastModifiedDate": "2022-05-11T13:57Z",
"publishedDate": "2022-05-01T16:15Z"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…