CVE-2022-4105

Published: Nov 21, 2022

Modified: Apr 14, 2025

PUBLISHED

CVSS v3.0

7.1

HIGH

Description

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.

Vendor	Product	Versions
kiwitcms	kiwitcms/kiwi	affected `unspecified - < 11.6`

Weaknesses (CWE)

CWE-79

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://huntr.dev/bounties/386417e9-0cd5-4d80-8137-b0fd5c30b8f8

https://github.com/kiwitcms/kiwi/commit/a2b169ffdef1d7c1755bade8138578423b35011b

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-4105

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References