CVE-2022-34322 - Vulnerability Details

Vendors	Products
Sage	Sage Enterprise Intelligence

Link	Providers
https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-34322", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T09:07:16.124Z", "dateReserved": "2022-06-22T00:00:00", "datePublished": "2023-01-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-01T00:00:00"}, "descriptions": [{"lang": "en", "value": "Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:07:16.124Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sage:sage_enterprise_intelligence:2021_r1.1:*:*:*:*:*:*:*", "matchCriteriaId": "30A281FC-6EB6-451B-9B09-6B76E3279916", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)"}, {"lang": "es", "value": "Se descubrieron m\u00faltiples problemas XSS en Sage Enterprise Intelligence 2021 R1.1 que permiten a un atacante ejecutar c\u00f3digo JavaScript en el contexto de los navegadores de los usuarios. El atacante debe autenticarse para acceder a las funciones vulnerables. Hay un problema en el men\u00fa Notificar a los usuarios sobre la modificaci\u00f3n y en la funci\u00f3n Notificaciones. Un usuario puede enviar notificaciones maliciosas y ejecutar c\u00f3digo JavaScript en el navegador de cada usuario que haya habilitado las notificaciones. Este es un XSS almacenado y puede provocar una escalada de privilegios en el contexto de la aplicaci\u00f3n. (Otro problema est\u00e1 presente en la pesta\u00f1a Favoritos. El nombre de un favorito o una carpeta de favoritos se interpreta como HTML y, por lo tanto, puede incrustar c\u00f3digo JavaScript, que se ejecuta cuando se muestra. Este es un XSS propio)."}], "id": "CVE-2022-34322", "lastModified": "2024-11-21T07:09:17.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-01-01T08:15:10.007", "references": [{"source": "[email protected]", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://www.synacktiv.com/sites/default/files/2022-12/sage_sei_multiple_xss.pdf"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object