CVE-2022-40849

{"id": "CVE-2022-40849", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-12-01T05:15:11.890", "references": [{"url": "https://github.com/thinkcmf/thinkcmf/issues/737", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID)."}, {"lang": "es", "value": "La versi\u00f3n 6.0.7 de ThinkCMF se ve afectada por Cross-Site Scripting (XSS) Almacenado. Un atacante que explotara con \u00e9xito esta vulnerabilidad podr\u00eda inyectar un payload XSS persistente en la secci\u00f3n Administraci\u00f3n de presentaciones de diapositivas que ejecuta c\u00f3digo JavaScript arbitrario en el lado del cliente, por ejemplo, para robar el token de sesi\u00f3n PHP del administrador (PHPSESSID)."}], "lastModified": "2022-12-02T17:24:33.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thinkcmf:thinkcmf:6.0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F02595D-FE6B-481C-87D7-E31A5C955FED"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}