CVE-2022-29230
CVSS V2 Low 3.5
CVSS V3 Medium 5.4
Description
Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.
Overview
- CVE ID
- CVE-2022-29230
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-05-18T21:15:07
- Last Modified Date
- 2022-06-01T19:55:39
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:* | 1 | OR | 0.10.0 | 0.19.0 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:S/C:N/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- SINGLE
- Confidentiality Impact
- NONE
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 3.5
- Severity
- LOW
- Exploitability Score
- 6.8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- REQUIRED
- Scope
- CHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 5.4
- Base Severity
- MEDIUM
- Exploitability Score
- 2.3
- Impact Score
- 2.7
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-29230 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29230 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-05-18 23:00:11 | Added to TrackCVE |