CVE-2022-28599

{"id": "CVE-2022-28599", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-05-03T18:15:08.983", "references": [{"url": "https://github.com/daylightstudio/FUEL-CMS/issues/595", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack."}, {"lang": "es", "value": "En FUEL-CMS versi\u00f3n 1.5.1, se presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado que permite a un usuario autenticado subir un archivo .pdf malicioso que act\u00faa como carga \u00fatil de tipo XSS almacenado. Si esta carga \u00fatil de tipo XSS almacenado es desencadenada por un administrador, desencadenar\u00e1 un ataque de tipo XSS"}], "lastModified": "2022-05-10T19:12:55.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3A806A2-582F-49B6-B9EC-C0FB4B13ED3D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}