CVE-2022-0020
published 2022-02-10CVE-2022-0020: A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a…
PriorityP433medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
1.71%
74.5th percentile
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | cortex_xsoar | — | — |
| palo_alto_networks | cortex_xsoar | >= 6.2.0 < 1958888 | 1958888 |
| paloalto | cortex_xsoar | — | — |
| paloaltonetworks | cortex_xsoar | — | — |
| paloaltonetworks | cortex_xsoar | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities
vendor_vmware·2022-07-12·CVSS 6.5
CVE-2022-23816 [MEDIUM] VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities
VMSA-2022-0020: VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities
VMware ESXi contains Return-Stack-Buffer-Underflow (CVE-2022-29901, CVE-2022-28693, CVE-2022-26373) and Branch Type Confusion (CVE-2022-23816, CVE-2022-23825) vulnerabilities due to the Intel and AMD processors it utilizes. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.6.
CVEs: CVE-2022-23816, CVE-2022-23825, CVE-2022-26373, CVE-2022-28693, CVE-2022-29901
Affected products: VMware Cloud Foundation, VMware ESXi, VMware vSphere
Palo Alto
Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface
vendor_paloalto·2022-02-09·CVSS 5.4
CVE-2022-0020 [MEDIUM] CWE-79 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface
Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations.
Affected products: Cortex XSOAR
Solution: This issue is fixed in Cortex XSOAR 6.2.0 build 1958888 and all later Cortex XSOAR versions.
Workaround: There are no known workarounds for this issue.
GHSA
GHSA-p58g-823f-vq5p: A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to s
ghsa_unreviewed·2022-02-11
CVE-2022-0020 [MEDIUM] CWE-79 GHSA-p58g-823f-vq5p: A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to s
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.
No detection rules found.
No writeups or analysis indexed.
2022-02-10
Published