Vulnerability-Lookup

CVE-2022-23466 (GCVE-0-2022-23466)

Vulnerability from cvelistv5 – Published: 2022-12-06 17:58 – Updated: 2025-04-23 16:32

Title

DOM-based cross-site scripting (XSS) in teler dashboard

Summary

teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kitabisa/teler/security/adviso…	x_refsource_CONFIRM
	https://github.com/kitabisa/teler/commit/20f59eda…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kitabisa	teler	Affected: >= v2.0.0-rc, < v2.0.0-rc.4 Affected: = v2.0.0-dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:45.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
          },
          {
            "name": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23466",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:52:59.457509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:32:01.139Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "teler",
          "vendor": "kitabisa",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= v2.0.0-rc, \u003c v2.0.0-rc.4"
            },
            {
              "status": "affected",
              "version": "= v2.0.0-dev"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-06T17:58:52.867Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
        },
        {
          "name": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
        }
      ],
      "source": {
        "advisory": "GHSA-xr7p-8q82-878q",
        "discovery": "UNKNOWN"
      },
      "title": "DOM-based cross-site scripting (XSS) in teler dashboard"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23466",
    "datePublished": "2022-12-06T17:58:52.867Z",
    "dateReserved": "2022-01-19T21:23:53.755Z",
    "dateUpdated": "2025-04-23T16:32:01.139Z",
    "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q\", \"name\": \"https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e\", \"name\": \"https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:43:45.889Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23466\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:52:59.457509Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:53:00.725Z\"}}], \"cna\": {\"title\": \"DOM-based cross-site scripting (XSS) in teler dashboard\", \"source\": {\"advisory\": \"GHSA-xr7p-8q82-878q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"kitabisa\", \"product\": \"teler\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= v2.0.0-rc, \u003c v2.0.0-rc.4\"}, {\"status\": \"affected\", \"version\": \"= v2.0.0-dev\"}]}], \"references\": [{\"url\": \"https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q\", \"name\": \"https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e\", \"name\": \"https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-06T17:58:52.867Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-23466\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:32:01.139Z\", \"dateReserved\": \"2022-01-19T21:23:53.755Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-12-06T17:58:52.867Z\", \"requesterUserId\": \"c184a3d9-dc98-4c48-a45b-d2d88cf0ac74\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-23466

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-23466

Aliases

CVE-2022-23466

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23466",
    "id": "GSD-2022-23466"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-23466"
      ],
      "details": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
      "id": "GSD-2022-23466",
      "modified": "2023-12-13T01:19:35.483627Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23466",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "teler",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= v2.0.0-rc, \u003c v2.0.0-rc.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= v2.0.0-dev"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "kitabisa"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q",
            "refsource": "MISC",
            "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
          },
          {
            "name": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
            "refsource": "MISC",
            "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xr7p-8q82-878q",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "=2.0.0-dev||\u003e=2.0.0-rc \u003c=2.0.0-rc.3",
          "affected_versions": "Version 2.0.0-dev, all versions starting from 2.0.0-rc up to 2.0.0-rc.3",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-12-06",
          "description": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "fixed_versions": [
            "2.0.0-dev.2",
            "2.0.0-rc.4"
          ],
          "identifier": "CVE-2022-23466",
          "identifiers": [
            "GHSA-xr7p-8q82-878q",
            "CVE-2022-23466"
          ],
          "not_impacted": "All versions before 2.0.0-dev, all versions after 2.0.0-dev before 2.0.0-rc, all versions after 2.0.0-rc.3",
          "package_slug": "go/teler.app",
          "pubdate": "2022-12-06",
          "solution": "Upgrade to versions 2.0.0-dev.2, 2.0.0-rc.4 or above. *Note*: 2.0.0-rc.4 may be an unstable version. Use caution.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q",
            "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
            "https://github.com/advisories/GHSA-xr7p-8q82-878q"
          ],
          "uuid": "7369c233-5e29-4a6c-8621-20e6a97a8342"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:teler_project:teler:2.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:teler_project:teler:2.0.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:teler_project:teler:2.0.0:dev:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:teler_project:teler:2.0.0:rc:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23466"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
            },
            {
              "name": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-12-09T13:37Z",
      "publishedDate": "2022-12-06T18:15Z"
    }
  }
}

FKIE_CVE-2022-23466

Vulnerability from fkie_nvd - Published: 2022-12-06 18:15 - Updated: 2024-11-21 06:48

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q	Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
teler_project	teler	2.0.0
teler_project	teler	2.0.0
teler_project	teler	2.0.0
teler_project	teler	2.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:teler_project:teler:2.0.0:dev:*:*:*:*:*:*",
              "matchCriteriaId": "B8D05462-0FF8-4C55-8D74-32792BCFE605",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:teler_project:teler:2.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "3C0CCA04-45FC-4F70-8370-D9996B6689B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:teler_project:teler:2.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9AFDB28D-E9A2-4255-BE1E-2B5A0EBAD9F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:teler_project:teler:2.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "333A02F9-5BA3-45F4-BB8B-FC84F49DF75B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "teler es un panel de alerta de amenazas y detecci\u00f3n de intrusiones en tiempo real. Teler anterior a la versi\u00f3n 2.0.0-rc.4 es vulnerable a Cross-Site Scripting (XSS) basadas en DOM en el panel de Teler. Cuando Teler solicita mensajes del flujo de eventos en el endpoint `/events`, los datos de registro que se muestran en el panel no se sanitizan. Esto solo afecta a los usuarios autenticados y solo puede explotarse en funci\u00f3n de las amenazas detectadas si el registro contiene un payload de scripts DOM. Esta vulnerabilidad se ha solucionado en la versi\u00f3n `v2.0.0-rc.4`. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2022-23466",
  "lastModified": "2024-11-21T06:48:37.047",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-06T18:15:09.997",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-XR7P-8Q82-878Q

Vulnerability from github – Published: 2022-12-06 15:36 – Updated: 2025-07-08 19:39

Summary

teler dashboard vulnerable to DOM-based cross-site scripting (XSS)

Details

Description

teler prior to version <= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the /events endpoint, the log data displayed on the dashboard are not sanitized.

Impact

This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.

Affected Version

This issue was introduced from version v2.0.0-rc to v2.0.0-rc.3 & v2.0.0-dev.

Patches

This vulnerability has been fixed on version v2.0.0-rc.4 & v2.0.0-dev.2.

Workarounds

Here are some workarounds to handle this case: - Deactivate the live event dashboard from the configuration file, or - Upgrade teler version to v2.0.0-rc.4 or v2.0.0-dev.2 & above.

References

https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e

Severity ?

3.1 (Low)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-rc.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc"
            },
            {
              "fixed": "2.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-dev"
            },
            {
              "fixed": "2.0.0-dev.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0.0-dev"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20220625162531-2289e90590a9"
            },
            {
              "fixed": "0.0.0-20221203202318-20f59eda2420"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "teler.app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.3-0.20220625162531-2289e90590a9"
            },
            {
              "fixed": "1.2.3-0.20221203202318-20f59eda2420"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T15:36:15Z",
    "nvd_published_at": "2022-12-06T18:15:00Z",
    "severity": "LOW"
  },
  "details": "### Description\n\nteler prior to version \u003c= 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized.\n\n### Impact\n\nThis only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This indicates a low severity and there is no significant impact on the users.\n\n### Affected Version\n\nThis issue was introduced from version `v2.0.0-rc` to `v2.0.0-rc.3` \u0026 `v2.0.0-dev`.\n\n### Patches\n\nThis vulnerability has been fixed on version `v2.0.0-rc.4` \u0026 `v2.0.0-dev.2`.\n\n### Workarounds\n\nHere are some workarounds to handle this case:\n- Deactivate the live event dashboard from the configuration file, or\n- Upgrade teler version to `v2.0.0-rc.4` or `v2.0.0-dev.2` \u0026 above.\n\n### References\n\n- https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e",
  "id": "GHSA-xr7p-8q82-878q",
  "modified": "2025-07-08T19:39:18Z",
  "published": "2022-12-06T15:36:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kitabisa/teler/security/advisories/GHSA-xr7p-8q82-878q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kitabisa/teler/commit/20f59eda2420ac64e29f199a61230a0abc875e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kitabisa/teler"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "teler dashboard vulnerable to DOM-based cross-site scripting (XSS)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23466 (GCVE-0-2022-23466)

GSD-2022-23466

FKIE_CVE-2022-23466

GHSA-XR7P-8Q82-878Q

Description

Impact

Affected Version

Patches

Workarounds

References

Tags

Sightings

Nomenclature