CVE-2022-40743 — Cross-site Scripting in Software Foundation Apache Traffic Server

CWE-79 — Cross-site Scripting CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

8.2%

top 7.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Traffic Server Apache Traffic Server

Timeline

PublishedDec 19

Description

Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and cache poisoning attacks.This issue affects Apache Traffic Server: 9.0.0 to 9.1.3. Users should upgrade to 9.1.4 or later versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_traffic_server9.0.0 — 9.1.3

▶NVDapache/traffic_server8.0.0 — 8.1.5+1

🔴Vulnerability Details

OSV

CVE-2022-40743: Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and↗2022-12-19

▶

CVEList

Apache Traffic Server: Security issues with the xdebug plugin↗2022-12-19

▶

GHSA

GHSA-q99x-rwh5-433q: Improper Input Validation vulnerability for the xdebug plugin in Apache Software Foundation Apache Traffic Server can lead to cross site scripting and↗2022-12-19

▶

📋Vendor Advisories

Debian

CVE-2022-40743: trafficserver - Improper Input Validation vulnerability for the xdebug plugin in Apache Software...↗2022

▶