CVE-2022-1231
Last modified
CVE-2022-1231 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. EPSS estimates a 1.78% chance of exploitation in the next 30 days.
Description
XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Plantuml | Plantuml | < 1.2022.4 |
| Fedoraproject | Fedora | 35 |
| Fedoraproject | Fedora | 36 |
References
- https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903Patch, Third Party Advisory
- https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604Exploit, Third Party Advisory
- https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903Patch, Third Party Advisory
- https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-1231?
How severe is CVE-2022-1231?
How do I fix CVE-2022-1231?
Are you affected by CVE-2022-1231?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST