CVE-2022-22115

Public Exploit
Teedy - Stored Cross-Site Scripting (XSS) in Tag Name

Description

In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation.

Remediation

Solution:

  • Update to Teedy v1.10

Category

9.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.35%
Third-Party Advisory github.com Third-Party Advisory whitesourcesoftware.com
Affected: sismics docs
Published at:
Updated at:

References

Link Tags
https://github.com/sismics/docs/commit/4951229576d6892dc58ab8c572e73639ca82d80c third party advisory patch
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22115 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2022-22115?
CVE-2022-22115 has been scored as a critical severity vulnerability.
How to fix CVE-2022-22115?
To fix CVE-2022-22115: Update to Teedy v1.10
Is CVE-2022-22115 being actively exploited in the wild?
It is possible that CVE-2022-22115 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-22115?
CVE-2022-22115 affects sismics docs.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.