CVE-2022-39195
published 2023-01-17CVE-2022-39195: A cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the c parameter.
PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.31%
92.7th percentile
A cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the c parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lsoft | listserv | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LISTSERV 17 - Reflected Cross Site Scripting (XSS)
exploitdb·2023-03-30·CVSS 6.1
CVE-2022-39195 [MEDIUM] LISTSERV 17 - Reflected Cross Site Scripting (XSS)
LISTSERV 17 - Reflected Cross Site Scripting (XSS)
---
# Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting (XSS)
# Google Dork: inurl:/scripts/wa.exe
# Date: 12/01/2022
# Exploit Author: Shaunt Der-Grigorian
# Vendor Homepage: https://www.lsoft.com/
# Software Link: https://www.lsoft.com/download/listserv.asp
# Version: 17
# Tested on: Windows Server 2019
# CVE : CVE-2022-39195
A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.
To reproduce, please visit
http://localhost/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(1)%3C/script%3E
(or whichever URL you can use for testing instead of localhost).
The "c" parameter will reflect any value given onto the page
Nuclei
LISTSERV 17 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-39195 [MEDIUM] LISTSERV 17 - Cross-Site Scripting
LISTSERV 17 - Cross-Site Scripting
LISTSERV 17 web interface contains a cross-site scripting vulnerability. An attacker can inject arbitrary JavaScript or HTML via the "c" parameter, thereby possibly allowing the attacker to steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2022-39195
info:
name: LISTSERV 17 - Cross-Site Scripting
author: arafatansari
severity: medium
description: |
LISTSERV 17 web interface contains a cross-site scripting vulnerability. An attacker can inject arbitrary JavaScript or HTML via the "c" parameter, thereby possibly allowing the attacker to steal cookie-based authentication credentials and launch other attacks.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script
2023-01-17
Published