Cyber Resilience

CVE-2022-3869

MediumPublic PoC

Published: 05 November 2022

Published
05 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1486 94.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3869 is a medium-severity Code Injection (CWE-94) vulnerability in Froxlor Froxlor. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-3869 is a code injection vulnerability, also referenced under CWE-94 and CWE-79, that affects the froxlor/froxlor GitHub repository in versions prior to 0.10.38.2. The flaw carries a CVSS 3.1 score of 6.1 with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely exploitable issue that requires user interaction and results in limited impacts to confidentiality and integrity with changed scope.

An unauthenticated remote attacker can exploit the vulnerability by supplying crafted input that is processed by the application, enabling injection of arbitrary code or cross-site scripting payloads. Successful exploitation allows the attacker to execute malicious actions within the context of affected users or sessions, potentially leading to unauthorized data access or modification without needing prior privileges.

The referenced GitHub commit and huntr.dev bounty entries document the remediation, which consists of applying the fix released in froxlor version 0.10.38.2. The EPSS score reached a peak of 0.1654 with a current value of 0.1486, but the provided data does not indicate a material rise from a low baseline after disclosure.

EU & UK References

Vulnerability details

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

froxlor
froxlor
≤ 0.10.38.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-94

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References