CVE-2022-23466 Detail
This vulnerability is currently undergoing reanalysis and not all information is available. Please check back soon to view the completed vulnerability summary.
Current Description
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Analysis Description
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | GitHub, Inc. |
Change History
1 change records found show changes
Initial Analysis by NIST 12/08/2022 12:08:58 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration |
OR
*cpe:2.3:a:teler_project:teler:2.0.0:dev:*:*:*:*:*:*
*cpe:2.3:a:teler_project:teler:2.0.0:rc:*:*:*:*:*:*
*cpe:2.3:a:teler_project:teler:2.0.0:rc2:*:*:*:*:*:*
*cpe:2.3:a:teler_project:teler:2.0.0:rc3:*:*:*:*:*:*
|
|
| Added | CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| Changed | Reference Type |
https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e No Types Assigned |
https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e Patch, Third Party Advisory |
| Changed | Reference Type |
https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q No Types Assigned |
https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q Patch, Third Party Advisory |
Quick Info
CVE Dictionary Entry:
CVE-2022-23466
NVD Published Date:
12/06/2022
NVD Last Modified:
12/08/2022
Source:
GitHub, Inc.