CVE-2022-22109: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

January 8, 2022

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks.

References

github.com/Bottelet/DaybydayCRM/commit/002dc75f400cf307bd00b71a5a93f1e26e52cee2
github.com/advisories/GHSA-jr37-66pj-36v7
nvd.nist.gov/vuln/detail/CVE-2022-22109
www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22109

Code Behaviors & Features

Detect and mitigate CVE-2022-22109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →