How severe is CVE-2022-23475?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2022-23475?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2022-23475 - HIGH Severity | CVSS 8.8

Vulnerability Description

daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.

Related Vulnerabilities

CVE-2007-4040

HIGH

CVSS:8.8(High)

Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbit...

CWE-792007

CVE-2013-4225

HIGH

CVSS:8.8(High)

The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote aut...

CWE-792013

CVE-2013-6364

HIGH

CVSS:8.8(High)

Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book

CWE-792013

CVE-2017-12343

HIGH

CVSS:8.8(High)

Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a maliciou...

CWE-792017

CVE-2017-7666

HIGH

CVSS:8.8(High)

Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

CWE-792017

CVE-2017-8332

HIGH

CVSS:8.8(High)

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking key words passing in the web traffic to p...

CWE-792017