CVE Vulnerability

CVE-2022-21649

Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible.

3.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7 Patch Third Party Advisory
https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c Patch Third Party Advisory
https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/ Exploit Patch
https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability Broken Link Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:convos:convos:*:*:*:*:*:*:*:*
Information

Published : 2022-01-04 09:15

Updated : 2022-01-08 02:46

NVD link : CVE-2022-21649

Mitre link : CVE-2022-21649

Products Affected
No products.
CWE
CWE-79