CVE-2022-21649

By Year
2022
CVE-2022-21649

Track security vulnerabilities

Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible.

Published at

2022-01-04

12 days ago

Modified

2022-01-04

12 days ago

2022

Year

The year of the turtle

https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7

CONFIRM:https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7

Read More about it More info

https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability

MISC:https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability

Read More about it More info

https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c

MISC:https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c

Read More about it More info

https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/

MISC:https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/

Read More about it More info

Vulnerability RAW

{
	"Title": {
		"_text": "CVE-2022-21649"
	},
	"Notes": {
		"Note": [
			{
				"_text": "Convos is an open source multi-user chat that runs in a web browser. Characters starting with \"https://\" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for \"<\" or \">\" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible."
			},
			{
				"_text": "2022-01-04"
			},
			{
				"_text": "2022-01-04"
			}
		]
	},
	"CVE": {
		"_text": "CVE-2022-21649"
	},
	"References": {
		"Reference": [
			{
				"URL": {
					"_text": "https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7"
				},
				"Description": {
					"_text": "CONFIRM:https://github.com/convos-chat/convos/security/advisories/GHSA-xmpj-xwm3-vww7"
				}
			},
			{
				"URL": {
					"_text": "https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability"
				},
				"Description": {
					"_text": "MISC:https://blog.pocas.kr/2021/12/30/2021-12-30-s-xss-convos-chat/#Second-vulnerability"
				}
			},
			{
				"URL": {
					"_text": "https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c"
				},
				"Description": {
					"_text": "MISC:https://github.com/convos-chat/convos/commit/86b2193de375005ba71d9dd53843562c6ac1847c"
				}
			},
			{
				"URL": {
					"_text": "https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/"
				},
				"Description": {
					"_text": "MISC:https://www.huntr.dev/bounties/4532a0ac-4e7c-4fcf-9fe3-630e132325c0/"
				}
			}
		]
	}
}