CVE-2022-47877
Published: 02 May 2023
Summary
CVE-2022-47877 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jedox Jedox. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-47877 is a stored cross-site scripting vulnerability affecting Jedox version 2020.2.5. The flaw resides in the log module and permits injection of arbitrary web script or HTML that is subsequently rendered on the Logs page.
Remote authenticated users can exploit the issue by submitting crafted input through the affected log module, resulting in persistent script execution in the context of other users who view the Logs page. The CVSS 3.1 score of 5.4 reflects network attack vector, low attack complexity, and required user interaction, with impacts limited to limited confidentiality and integrity loss under a changed scope.
Public references consist of a Packet Storm exploit entry and a Syslifters vulnerability disclosure report dated April 2023; neither document details vendor patches or specific mitigation steps. The associated EPSS score rose from lower values to a peak of 0.0797 on 2026-05-07 before receding to the current 0.0312, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-50634
Vulnerability details
A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module 'log'.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.