CVE-2022-23065 : What You Need to Know
Learn about CVE-2022-23065 impacting Vendure versions 0.1.0-alpha.2 to 1.5.1. Upgrade to version 1.5.2 or higher immediately to prevent stored XSS attacks.
Vendure - XSS via SVG File Upload
Understanding CVE-2022-23065
A Stored XSS vulnerability affects Vendure versions 0.1.0-alpha.2 to 1.5.1, allowing malicious JavaScript to be uploaded via SVG files.
What is CVE-2022-23065?
In versions 0.1.0-alpha.2 to 1.5.1 of Vendure, attackers with catalog permission can upload SVG files containing harmful JavaScript to the 'Assets' tab, impacting both administrators and regular users.
The Impact of CVE-2022-23065
With a CVSS base score of 5.4 (Medium severity), this vulnerability has a low impact on confidentiality, integrity, and privileges required. It requires user interaction and can potentially compromise systems.
Technical Details of CVE-2022-23065
Vulnerability Description
The vulnerability allows attackers to execute stored XSS attacks by uploading SVG files with malicious JavaScript.
Affected Systems and Versions
Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by this vulnerability.
Exploitation Mechanism
Attackers with catalog permission can exploit the vulnerability by uploading specially crafted SVG files.
Mitigation and Prevention
Immediate Steps to Take
Upgrade your Vendure installation to version 1.5.2 or higher to mitigate the risk of exploitation.
Long-Term Security Practices
Regularly update your software to the latest versions to ensure that known vulnerabilities are patched promptly.
Patching and Updates
Stay informed about security advisories and apply patches as soon as they are released to protect your systems from potential threats.