CVE-2022-23466

描述

### Description teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. ### Impact This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users. ### Affected Version This issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` & `v2.0.0-dev`. ### Patches This vulnerability has been fixed on version `v2.0.0-rc.4` & `v2.0.0-dev.2`. ### Workarounds Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` & above. ### References - https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

如何修補 CVE-2022-23466

要修補 CVE-2022-23466,請將受影響套件升級到下列已修補版本。

• —升級至 2.0.0-rc.4 或更新版本

CVE-2022-23466 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 2.0.0-rc, < 2.0.0-rc.4

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23466
• PATCHgithub.com/kitabisa/teler
• WEBgithub.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e
• WEBgithub.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q