CVE-2022-41947

CVSS V2 None CVSS V3 None
Description
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.
Overview
  • CVE ID
  • CVE-2022-41947
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-08T23:15:10
  • Last Modified Date
  • 2022-12-12T18:36:04
Weakness Enumerations
CWE URL
CWE-79 http://cwe.mitre.org/data/definitions/79.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:* 1 OR 2.35.0 2.36.12.1
cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:* 1 OR 2.37.0 2.37.8.1
cpe:2.3:a:dhis2:dhis_2:*:*:*:*:*:*:*:* 1 OR 2.38.0 2.38.2.1
cpe:2.3:a:dhis2:dhis_2:2.39.0:*:*:*:*:*:*:* 1 OR
References
Reference URL Reference Tags
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-41947
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41947
History
Created Old Value New Value Data Type Notes
2022-12-08 23:16:24 Added to TrackCVE
2022-12-09 14:14:31 2022-12-08T23:15:10.813 2022-12-08T23:15:10 CVE Published Date updated
2022-12-09 14:14:31 2022-12-09T13:48:03 CVE Modified Date updated
2022-12-09 14:14:31 Received Awaiting Analysis Vulnerability Status updated
2022-12-12 12:24:17 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-12 19:15:36 2022-12-12T18:36:04 CVE Modified Date updated
2022-12-12 19:15:36 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-12 19:15:37 CPE Information updated