Vulnerability Description
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fava Project | Fava | < 1.22 |
Related Weaknesses (CWE)
References
- https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f371PatchThird Party Advisory
- https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429ExploitPatchThird Party Advisory
- https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f371PatchThird Party Advisory
- https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-2514?
CVE-2022-2514 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.
How severe is CVE-2022-2514?
CVE-2022-2514 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2514?
Check the references section above for vendor advisories and patch information. Affected products include: Fava Project Fava.