CVE-2022-24917
Description
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:6.0.7+dfsg-2 |
| sid | Fixed | 1:6.0.7+dfsg-2 |
| forky | Fixed | 1:6.0.7+dfsg-2 |
| bullseye | Fixed | 1:5.0.44+dfsg-1+deb11u1 |
| bookworm | Fixed | 1:6.0.7+dfsg-2 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.