An attacker can inject arbitrary HTML, script, or CSS into the "Product Affected" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability. An attacker can inject code into the "Issue Details" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability. An attacker can inject code into the "Resolution" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability. An attacker can inject code into the "Priority" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code

Mitigation Strategies

In order to mitigate this vulnerability, you must ensure that the "Product Affected" field is not accessible from any external source.

Summary of CVE-2022-40248

An attacker can inject arbitrary HTML, script, or CSS into the "Product Affected" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability. An attacker can inject code into the "Issue Details" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected. CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability. An attacker can inject code into the "Resolution" form field. This can lead to the disclosure of confidential information or the creation of a phishing site. CERT/CC VINCE software prior to 1.50.4 is affected
CERT/CC VINCE software prior to 1.50.4 is vulnerable to an arbitrary code execution vulnerability and has exploitable vulnerabilities identified in its underlying PHP component that allow attackers with low skill sets and limited time investments, like web application penetration testers, remote attackers and technical consultants, have significant opportunities for privilege escalation and information disclosure in many types of configurations on systems that are not hosting any other web application component unless they are

Timeline

Published on: 10/10/2022 20:15:00 UTC
Last modified on: 10/11/2022 18:26:00 UTC

References