Cyber Resilience

CVE-2022-23544

HighPublic PoC

Published: 28 December 2022

Published
28 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.2357 96.1th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23544 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Metersphere Metersphere. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MeterSphere versions prior to 2.5.0 contain a server-side request forgery vulnerability in the IssueProxyResourceService::getMdImageByUrl method that leads to reflected cross-site scripting. The flaw is tracked under CWE-918 and CWE-79 and carries a CVSS 3.1 score of 7.2 with network attack vector, no authentication or user interaction required, and changed scope.

An unauthenticated remote attacker can supply a crafted URL that causes the application to fetch arbitrary internal or external resources. Successful exploitation allows the attacker to reach otherwise inaccessible systems and to execute JavaScript in the context of the MeterSphere origin when a victim views the reflected response.

The issue is resolved in release 2.5.0; the fix is documented in GitHub security advisory GHSA-vrv6-cg45-rmjj and the corresponding commit d0f95b50737c941b29d507a4cc3545f2dc6ab121. No workarounds are known. The EPSS score has remained stable near 0.23 with no material post-disclosure rise.

EU & UK References

Vulnerability details

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in…

more

`IssueProxyResourceService::getMdImageByUrl` allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

metersphere
metersphere
≤ 2.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-918

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79 CWE-918

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References