CVE-2022-42466
Apache Isis Cross-site Scripting vulnerability
6.1
MEDIUM
CVSS 3.1
EPSS 22.0%
Description
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.
How to fix CVE-2022-42466
To remediate CVE-2022-42466, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.0-M9 or later
Is CVE-2022-42466 being exploited?
Moderate — EPSS is 22.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.0.0-M9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |