Vulnerability Details CVE-2022-38790
Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.9%
CVSS Severity
CVSS v3 Score 5.4
References
- https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profiles-and-clusters
- https://docs.gitops.weave.works/docs/intro
- https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.html
- https://www.weave.works/product/gitops-enterprise/
- https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profiles-and-clusters
- https://docs.gitops.weave.works/docs/intro
- https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.html
- https://www.weave.works/product/gitops-enterprise/
Products affected by CVE-2022-38790
-
cpe:2.3:a:weave.works:gitops:-
-
cpe:2.3:a:weave.works:gitops:0.0.1
-
cpe:2.3:a:weave.works:gitops:0.0.2
-
cpe:2.3:a:weave.works:gitops:0.0.3
-
cpe:2.3:a:weave.works:gitops:0.0.4
-
cpe:2.3:a:weave.works:gitops:0.0.5
-
cpe:2.3:a:weave.works:gitops:0.1.0
-
cpe:2.3:a:weave.works:gitops:0.2.0
-
cpe:2.3:a:weave.works:gitops:0.2.1
-
cpe:2.3:a:weave.works:gitops:0.2.2
-
cpe:2.3:a:weave.works:gitops:0.2.3
-
cpe:2.3:a:weave.works:gitops:0.2.4
-
cpe:2.3:a:weave.works:gitops:0.2.5
-
cpe:2.3:a:weave.works:gitops:0.3.0
-
cpe:2.3:a:weave.works:gitops:0.3.1
-
cpe:2.3:a:weave.works:gitops:0.3.2
-
cpe:2.3:a:weave.works:gitops:0.3.3
-
cpe:2.3:a:weave.works:gitops:0.4.0
-
cpe:2.3:a:weave.works:gitops:0.4.1
-
cpe:2.3:a:weave.works:gitops:0.5.0
-
cpe:2.3:a:weave.works:gitops:0.5.1
-
cpe:2.3:a:weave.works:gitops:0.6.0
-
cpe:2.3:a:weave.works:gitops:0.6.1
-
cpe:2.3:a:weave.works:gitops:0.6.2
-
cpe:2.3:a:weave.works:gitops:0.7.0
-
cpe:2.3:a:weave.works:gitops:0.7.1
-
cpe:2.3:a:weave.works:gitops:0.8.0
-
cpe:2.3:a:weave.works:gitops:0.8.1
-
cpe:2.3:a:weave.works:gitops:0.9.0