CVE-2022-43760

{"id": "CVE-2022-43760", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "meissner@suse.de", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}]}, "published": "2023-06-01T13:15:10.373", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "meissner@suse.de"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x", "tags": ["Vendor Advisory"], "source": "meissner@suse.de"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-43760", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rancher/rancher/security/advisories/GHSA-46v3-ggjg-qq3x", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "meissner@suse.de", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is \nexecuted within another user's browser, allowing the attacker to steal \nsensitive information, manipulate web content, or perform other \nmalicious activities on behalf of the victims. This could result in a \nuser with write access to the affected areas being able to act on behalf\n of an administrator, once an administrator opens the affected web page.\n\n\nThis issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4.\n\n"}], "lastModified": "2024-11-21T07:27:10.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E9E01CC-9BB4-4A69-8F2D-ECCA9CF59580", "versionEndExcluding": "2.6.13", "versionStartIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82B60ABA-3389-45F0-9F45-4D4D0D4738BC", "versionEndExcluding": "2.7.4", "versionStartIncluding": "2.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "meissner@suse.de"}