CVE-2022-23544
Published: 28 December 2022
Summary
CVE-2022-23544 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Metersphere Metersphere. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
MeterSphere versions prior to 2.5.0 contain a server-side request forgery vulnerability in the IssueProxyResourceService::getMdImageByUrl method that leads to reflected cross-site scripting. The flaw is tracked under CWE-918 and CWE-79 and carries a CVSS 3.1 score of 7.2 with network attack vector, no authentication or user interaction required, and changed scope.
An unauthenticated remote attacker can supply a crafted URL that causes the application to fetch arbitrary internal or external resources. Successful exploitation allows the attacker to reach otherwise inaccessible systems and to execute JavaScript in the context of the MeterSphere origin when a victim views the reflected response.
The issue is resolved in release 2.5.0; the fix is documented in GitHub security advisory GHSA-vrv6-cg45-rmjj and the corresponding commit d0f95b50737c941b29d507a4cc3545f2dc6ab121. No workarounds are known. The EPSS score has remained stable near 0.23 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28562
Vulnerability details
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in…
more
`IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Detects server-side request forgery through monitoring of unexpected outbound connections.