CVE-2022-34009 — Cross-site Scripting in Fossil

CWE-79 — Cross-site Scripting CWE-436 — Interpretation Conflict5 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 50.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fossil-scm Fossil

Timeline

PublishedJul 28

Latest updateJul 29

Description

Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDfossil-scm/fossil2.18

🔴Vulnerability Details

GHSA

GHSA-3632-grrp-f8wr: Fossil 2↗2022-07-29

▶

OSV

CVE-2022-34009: Fossil 2↗2022-07-28

▶

CVEList

CVE-2022-34009: Fossil 2↗2022-07-27

▶

📋Vendor Advisories

Debian

CVE-2022-34009: fossil - Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon cra...↗2022

▶