Vulnerability Description
Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the [email protected]. If the email recipient is using an email program that is susceptible to XSS, then that email recipient will receive an email that may contain malicious XSS. Regardless if the email recipient’s mail program has vulnerabilities or not, the hacker can at the very least inject malicious HTML that modifies the body content of the email. There are currently no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Originprotocol | Origin Website | < 2022-01-10 |
Related Weaknesses (CWE)
References
- https://github.com/OriginProtocol/origin-website/pull/617PatchThird Party Advisory
- https://github.com/OriginProtocol/origin-website/security/advisories/GHSA-v6fc-qThird Party Advisory
- https://github.com/github/codeql/pull/7127PatchThird Party Advisory
- https://github.com/OriginProtocol/origin-website/pull/617PatchThird Party Advisory
- https://github.com/OriginProtocol/origin-website/security/advisories/GHSA-v6fc-qThird Party Advisory
- https://github.com/github/codeql/pull/7127PatchThird Party Advisory
FAQ
What is CVE-2022-24864?
CVE-2022-24864 is a vulnerability with a CVSS score of 4.1 (MEDIUM). Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data...
How severe is CVE-2022-24864?
CVE-2022-24864 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24864?
Check the references section above for vendor advisories and patch information. Affected products include: Originprotocol Origin Website.