CVE-2022-43980
published 2023-01-27CVE-2022-43980: There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.28%
19.7th percentile
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| artica_pfms | pandora_fms | — | — |
| pandorafms | pandora_fms | < 766 | 766 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_apache3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c9jf-g47r-97q7: There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality
ghsa_unreviewed·2023-07-06
CVE-2022-43980 [MEDIUM] CWE-352 GHSA-c9jf-g47r-97q7: There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.
Apache
Apache tomcat: CVE-2021-43980
vendor_apache·CVSS 3.7
CVE-2021-43980 [LOW] Apache tomcat: CVE-2021-43980
Apache tomcat: CVE-2021-43980
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. This was fixed with commit 4a00b0c0 . This issue was reported to the Apache Tomcat Security team by Adam Thomas, Richard Hernandez and Ryan Schmitt on 11 November 2021. The issue was made public on 28 September 2022. Affects: 8.5.0 to 8.5.77 28 February 2022 Fixed in Apache Tomcat 8.5.76 Important: Request mix-up
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-01-27
Published