Vulnerability Report

CVE-2022-31133

Title: Stored XSS in HumHub (Space Administration)

XSS

Proof Of Concept

No public PoC currently indexed for CVE-2022-31133.

CWE Category CWE-79
Published Date Jul 07, 2022
Modified Date Nov 21, 2024
Exploit Status Not Found
Score 5.9 CVSS v3.1
Exploit Probability (EPSS)
0.30%

Vulnerability Summary

CVE-2022-31133: HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue.

Impacted Vendors

H
humhub 1

Reference Links

https://github.com/humhub/humhub/commit/07d9f8f9b6334970ee38156a3416c3708d157cae https://github.com/humhub/humhub/commit/f88991dfe56a05870df165ac89a2755dd4c1ffa1 https://github.com/humhub/humhub/security/advisories/GHSA-p7h3-73v7-959c https://huntr.dev/bounties/89d996a2-de30-4261-8e3f-98e54cb25f76 https://github.com/humhub/humhub/commit/07d9f8f9b6334970ee38156a3416c3708d157cae https://github.com/humhub/humhub/commit/f88991dfe56a05870df165ac89a2755dd4c1ffa1 https://github.com/humhub/humhub/security/advisories/GHSA-p7h3-73v7-959c https://huntr.dev/bounties/89d996a2-de30-4261-8e3f-98e54cb25f76
CVSS v3.1
Source Entity [email protected]
Severity MEDIUM
5.9
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
REQUIRED
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVSS v3.1
Source Entity [email protected]
Severity MEDIUM
4.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
REQUIRED
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS v2.0
Source Entity [email protected]
Severity LOW
3.5
Access Vector
N/A
Authentication
N/A
RAW VECTOR AV:N/AC:M/Au:S/C:N/I:P/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-31133 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction REQUIRED
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Affected Stack

No specific products linked.