Headline
CVE-2022-38256: wizlynx group | Stored Cross-Site Scripting (XSS) Vulnerability in TastyIgniter v3.5.0
TastyIgniter v3.5.0 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Vendor
Product
TastyIgniter
Affected Version(s)
3.5.0 and probably prior
Tested Version(s)
3.5.0
Vendor Notification
13 June 2022
Advisory Publication
13 June 2022 [without technical details]
Vendor Fix
N/A
Public Disclosure
13 June 2022
Latest Modification
09 June 2022
CVE Identifier
Pending
Product Description
A free online ordering system for restaurants & takeaways based on Laravel PHP Framework.
Credits
Oswaldo Morales Rodríguez Security Researcher & Penetration Tester @wizlynx group
Stored XSS
Severity: Medium
CVSS Score: 5.4
CWE-ID: CWE-79
Status: Open
Vulnerability Description
TastyIgniter is affected by Stored Cross-Site Scripting (XSS) vulnerability affecting version 3.5.0. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
CVSS Base Score
Attack Vector
Network
Scope
Changed
Attack Complexity
Low
Confidentiality Impact
Low
Privileges Required
Low
Integrity Impact
Low
User Interaction
Required
Availability Impact
None
Full details about the vulnerability will be disclosed once the vendor has provided a patch.
Top