CVE-2022-32533 — Cross-site Scripting in Software Foundation Apache Portals

CWE-79 — Cross-site Scripting CWE-352 — Cross-Site Request Forgery CWE-611 — XML External Entity (XXE) Injection CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

10.5%

top 6.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Portals Apache Jetspeed

Timeline

PublishedJul 6

Latest updateJul 7

Description

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/jetspeed

▶CVEListV5apache_software_foundation/apache_portalsJetspeed 2.3.1

🔴Vulnerability Details

GHSA

Insufficient user input in Apache Jetspeed-2↗2022-07-07

▶

OSV

Insufficient user input in Apache Jetspeed-2↗2022-07-07

▶

CVEList

Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues↗2022-07-06

▶