CVE-2022-2514
Fava time and filter parameters vulnerable to reflected Cross-site Scripting
6.1
MEDIUM
CVSS 3.1
EPSS 0.32%
Description
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
How to fix CVE-2022-2514
To remediate CVE-2022-2514, upgrade the affected package to a fixed version below.
- Debian/fava—no fix listed
- —upgrade to 1.22 or later
- —upgrade to ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 or later
- —no fix listed
Is CVE-2022-2514 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0
- from 0, < 1.22
- from 0, < ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 | from 0, < 1.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |