Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-4560— Joget wflow-core UniversalTheme.java getInternalJsCssLib cross site scripting

CVSS 3.5 · Low EPSS 0.27% · P50
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-4560

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Joget wflow-core UniversalTheme.java getInternalJsCssLib cross site scripting
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in Joget up to 7.0.31. It has been rated as problematic. This issue affects the function getInternalJsCssLib of the file wflow-core/src/main/java/org/joget/plugin/enterprise/UniversalTheme.java of the component wflow-core. The manipulation of the argument key leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 7.0.32 is able to address this issue. The name of the patch is ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215963.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Joget 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Joget是Joget开源的一个开源无代码/低代码应用程序平台。用于更快、更简单的数字转换(DX)。 Joget 7.0.32版本及之前版本存在跨站脚本漏洞。攻击者利用该漏洞执行跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-Joget 7.0.0 -

II. Public POCs for CVE-2022-4560

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-4560

登录查看更多情报信息。

Same Patch Batch · n/a · 2022-12-16 · 161 CVEs total

CVE-2022-26582PAX Technology A930 操作系统命令注入漏洞
CVE-2022-20608Google Pixel 缓冲区错误漏洞
CVE-2022-20609Google Pixel 缓冲区错误漏洞
CVE-2022-20610Google Pixel 缓冲区错误漏洞
CVE-2022-25626Symantec Identity Manager 授权问题漏洞
CVE-2022-25627Symantec Identity Manager 安全漏洞
CVE-2022-25628Symantec Identity Manager 代码问题漏洞
CVE-2022-26579PAX Technology A930 数据伪造问题漏洞
CVE-2022-26580PAX Technology A930 操作系统命令注入漏洞
CVE-2022-26581PAX Technology A930 安全漏洞
CVE-2022-37832Mutiny Network Monitoring Appliance 信任管理问题漏洞
CVE-2022-42503Google Pixel 缓冲区错误漏洞
CVE-2022-42502Google Pixel 缓冲区错误漏洞
CVE-2022-42501Google Pixel 缓冲区错误漏洞
CVE-2022-4130Red Hat Satellite 安全漏洞
CVE-2022-31708VMware vRealize Operations 安全漏洞
CVE-2022-3109FFmpeg 代码问题漏洞
CVE-2022-31707VMware vRealize Operations 安全漏洞
CVE-2022-20607Google Pixel 缓冲区错误漏洞
CVE-2022-36223Emby Server 跨站脚本漏洞

Showing top 20 of 161 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Joget
Same vendor: n/a
Same weakness: CWE-79

V. Comments for CVE-2022-4560

No comments yet

Leave a comment