CVE-2022-23466

Description

### Description teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. ### Impact This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users. ### Affected Version This issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` & `v2.0.0-dev`. ### Patches This vulnerability has been fixed on version `v2.0.0-rc.4` & `v2.0.0-dev.2`. ### Workarounds Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` & above. ### References - https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

How to fix CVE-2022-23466

To remediate CVE-2022-23466, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.0-rc.4 or later

Is CVE-2022-23466 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.0.0-rc, < 2.0.0-rc.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23466
• PATCHgithub.com/kitabisa/teler
• WEBgithub.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e
• WEBgithub.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q