• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

CVE-2022-31113

原作者: [db:作者] 来自: [db:来源] 收藏 邀请

Description

Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens. This permits an attacker who recognised an HTTP-based Canarytoken (a URL) to execute Javascript in the Canarytoken's history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. The issue has been patched on Canarytokens.org and in the latest release. No signs of successful exploitation of this vulnerability have been found. Users are advised to upgrade. There are no known workarounds for this issue.


Severity



CVSS 3.x Severity and Metrics:

NIST CVSS score
NIST: NVD
Base Score:  N/A
NVD score not yet provided.

Nist CVSS score does not match with CNA score
CNA:  GitHub, Inc.
Base Score:  6.3 MEDIUM
Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L


NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings. A CNA provided score within the CVE List has been displayed.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Hyperlink Resource
https://github.com/thinkst/canarytokens/commit/dc378957bc28a6f3b5a8d7217b0605d81111f090
https://github.com/thinkst/canarytokens/security/advisories/GHSA-5675-3424-hpqr

Weakness Enumeration

CWE-ID CWE Name Source
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Provider acceptance level GitHub, Inc.  

Change History

0 change records found show changes

鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

上一篇:
CVE-2021-37524发布时间:2022-07-08
下一篇:
CVE-2022-2270发布时间:2022-07-08
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap