CVE-2022-39301 Information

Description

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting (XSS) vulnerability. After logging into the sra-admin background an attacker can upload an html page containing xss attack code in \Personal Center\ - \Profile Picture Upload\ allowing theft of the user’s personal information. This issue has been patched in 1.1.2. There are no known workarounds.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/momofoolish/sra-admin/security/advisories/GHSA-v7r9-qx74-h3v8

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4