How severe is CVE-2022-24039?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9 out of 10.

What type of vulnerability is CVE-2022-24039?

This is classified as CWE-75, which is a common weakness in software security.

CVE-2022-24039 - CRITICAL Severity | CVSS 9

Vulnerability Description

A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

Related Vulnerabilities

CVE-2023-1758

HIGH

CVSS:8.9(High)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CWE-752023

CVE-2021-39174

HIGH

CVSS:8.8(High)

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv fi...

CWE-752021

CVE-2023-23912

HIGH

CVSS:8.8(High)

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhc...

CWE-752023

CVE-2023-27533

HIGH

CVSS:8.8(High)

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server...

CWE-752023

CVE-2024-31809

HIGH

CVSS:8.8(High)

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function.

CWE-752024

CVE-2024-37779

HIGH

CVSS:8.8(High)

WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality.

CWE-752024