CVE-2022-40711 | {err0rr}

EJBCA Stored XSS | CVE-2022-40711

The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2022-40711 to this issue. This is an entry on the CVE List, which standardises names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40711

https://support.keyfactor.com/s/detail/a6x1Q000000CwCjQAK

CVE ID: CVE-2022-40711
Date of Disclosure: 11th September 2022
Vendor, Product: Primekey, EJBCA
Affected Product: Ejbca Version 7.9.0.2

Severity Rating: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (CVSS Base Score: 8.1)

EJBCA 7.9.0.2 Community is having a stored XSS vulnerability in an ‘End Entity’ section. A user with ‘RA Administrator’ can inject scripts and XSS the higher privilege users..

POC:

Credit: Verneet Singh

{err0rr}

< blog by Verneet / >

EJBCA Stored XSS | CVE-2022-40711

{@err0rrrrr}

{ @verneet}

EJBCA Stored XSS | CVE-2022-40711

{<img src="https://i1.wp.com/verneet.com/wp-content/uploads/2021/06/twitter-1.png?resize=24%2C24&#038;ssl=1" alt="" width="24" height="24" class="alignnone size-full wp-image-2839" style="margin-bottom:-5px;" data-recalc-dims="1" />@err0rrrrr}

{<img src="https://i0.wp.com/verneet.com/wp-content/uploads/2021/06/linkedin.png?resize=24%2C24&#038;ssl=1" alt="" width="24" height="24" class="alignnone size-full wp-image-2839" style="margin-bottom:-5px;" data-recalc-dims="1" /> @verneet}

{@err0rrrrr}

{ @verneet}