CVE-2022-41947

Published: Dec 8, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.

Vendor	Product	Versions
dhis2	dhis2-core	affected `< 2.36.12.1` affected `>= 2.37.0.0, < 2.37.8.1` affected `>= 2.38.0.0, < 2.38.2.1` affected `>= 2.39.0.0, < 2.39.0.1`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg

x_refsource_CONFIRM

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-41947

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References