CVE-2022-0437
published 2022-02-05CVE-2022-0437: Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
15.17%
96.3th percentile
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| karma-runner | karma-runner_karma | >= unspecified < 6.3.14 | 6.3.14 |
| karma_project | karma | < 6.3.14 | 6.3.14 |
| karma_project | karma | >= 0 < 6.3.14 | 6.3.14 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting in karma
osv·2022-02-06
CVE-2022-0437 [MEDIUM] Cross-site Scripting in karma
Cross-site Scripting in karma
karma prior to version 6.3.14 contains a cross-site scripting vulnerability.
GHSA
Cross-site Scripting in karma
ghsa·2022-02-06
CVE-2022-0437 [MEDIUM] CWE-79 Cross-site Scripting in karma
Cross-site Scripting in karma
karma prior to version 6.3.14 contains a cross-site scripting vulnerability.
No detection rules found.
Nuclei
karma-runner DOM-based Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-0437 [MEDIUM] karma-runner DOM-based Cross-Site Scripting
karma-runner DOM-based Cross-Site Scripting
NPM karma prior to 6.3.14. contains a DOM-based cross-site Scripting vulnerability.
Template:
id: CVE-2022-0437
info:
name: karma-runner DOM-based Cross-Site Scripting
author: pikpikcu
severity: medium
description: NPM karma prior to 6.3.14. contains a DOM-based cross-site Scripting vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: |
Upgrade to the latest version of karma-runner that includes proper input sanitization to mitigate this vulnerability.
reference:
- https://huntr.dev/bounties/64b67ea1-5487-4382-a5f6-e8a95f79
No writeups or analysis indexed.
2022-02-05
Published