{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-0020","assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","assignerShortName":"palo_alto","dateUpdated":"2024-09-16T16:53:59.807Z","dateReserved":"2021-12-28T00:00:00.000Z","datePublished":"2022-02-10T18:10:23.382Z"},"containers":{"cna":{"title":"Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface","datePublic":"2022-02-09T00:00:00.000Z","providerMetadata":{"orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto","dateUpdated":"2023-04-10T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888."}],"affected":[{"vendor":"Palo Alto Networks","product":"Cortex XSOAR","versions":[{"version":"6.5.0 all","status":"unaffected"},{"version":"6.1.0 all","status":"affected"},{"version":"6.2.0","status":"affected","lessThan":"1958888","versionType":"custom","changes":[{"at":"1958888","status":"unaffected"}]}]}],"references":[{"url":"https://security.paloaltonetworks.com/CVE-2022-0020"},{"url":"http://packetstormsecurity.com/files/171782/Palo-Alto-Cortex-XSOAR-6.5.0-Cross-Site-Scripting.html"}],"credits":[{"lang":"en","value":"Palo Alto Networks thanks Ömür Uğur of Türk Telekom for discovering and reporting this issue."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.8,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-79 Cross-site Scripting (XSS)","cweId":"CWE-79"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"defect":["PDV-2194"],"discovery":"EXTERNAL"},"workarounds":[{"lang":"en","value":"There are no known workarounds for this issue."}],"exploits":[{"lang":"en","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"timeline":[{"lang":"en","time":"2022-02-09T00:00:00.000Z","value":"Initial publication"}],"solutions":[{"lang":"en","value":"This issue is fixed in Cortex XSOAR 6.2.0 build 1958888 and all later Cortex XSOAR versions."}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T23:18:41.523Z"},"title":"CVE Program Container","references":[{"url":"https://security.paloaltonetworks.com/CVE-2022-0020","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/171782/Palo-Alto-Cortex-XSOAR-6.5.0-Cross-Site-Scripting.html","tags":["x_transferred"]}]}]}}