Bug 2160334 (CVE-2022-4730) - CVE-2022-4730 graphite-web: Cross-site scripting vulnerability
Summary: CVE-2022-4730 graphite-web: Cross-site scripting vulnerability
Keywords:
Status: NEW
Alias: CVE-2022-4730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2160337 2160339 2160342
Blocks: 2156345
TreeView+ depends on / blocked
 
Reported: 2023-01-12 05:22 UTC by Avinash Hanwate
Modified: 2023-07-07 08:32 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the graphite-web package. Affected versions of this package are vulnerable to Cross-site scripting.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-01-12 05:22:39 UTC 
A vulnerability was found in Graphite Web. It has been classified as problematic. Affected is an unknown function of the component Absolute Time Range Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216744.

https://github.com/graphite-project/graphite-web/commit/2f178f490e10efc03cd1d27c72f64ecab224eb23
https://vuldb.com/?id.216744
https://github.com/graphite-project/graphite-web/issues/2746
https://github.com/graphite-project/graphite-web/pull/2785
Comment 1 Avinash Hanwate 2023-01-12 05:24:03 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2160339]
Affects: fedora-all [bug 2160337]
Note You need to log in before you can comment on or make changes to this bug.