EJBCA Stored XSS | CVE-2022-40711

The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID​ CVE-2022-40711 to this issue. This is an entry on the CVE List, which standardises names for security problems.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40711

CVE ID: CVE-2022-40711
Date of Disclosure: 11th September 2022
Vendor, Product: Primekey, EJBCA
Affected Product: Ejbca Version 7.9.0.2

Severity Rating: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (CVSS Base Score: 8.1)

EJBCA 7.9.0.2 Community is having a stored XSS vulnerability in an ‘End Entity’ section. A user with ‘RA Administrator’ can inject scripts and XSS the higher privilege users..

POC:

 

 

Credit: Verneet Singh