Add CVE-2022-39262 for GHSA-4x48-q2wr-cpg4

2025-05-08 19:46:39 +00:00 · 2022-11-03 13:37:59 +00:00 · 2022-11-03 13:37:59 +00:00 · 2805ec18b2
commit 2805ec18b2
parent b313227051
1 changed files with 76 additions and 6 deletions
--- a/2022/39xxx/CVE-2022-39262.json
+++ b/2022/39xxx/CVE-2022-39262.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39262",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Stored Cross-Site Scripting (XSS) on login page in GLPI"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "glpi",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 10.0.4"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "glpi-project"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4."
+            }
+        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "LOW",
+            "baseScore": 5.2,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page"
                    }
                ]
            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-4x48-q2wr-cpg4",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-4x48-q2wr-cpg4"
+            },
+            {
+                "name": "https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/",
+                "refsource": "MISC",
+                "url": "https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-4x48-q2wr-cpg4",
+        "discovery": "UNKNOWN"
+    }
 }