CVE-2022-26088

 

Published at: - 10-11-2022 10:15

Last modified: - 15-11-2022 09:46

Total changes: - 3

Description

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

 

Verification logic

 

Reference

• https://sec-consult.com/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/
• 20221115 SEC Consult SA-20221110-0 :: HTML Injection in BMC Remedy ITSM-Suite-Exploit, Third Party Advisory
• http://packetstormsecurity.com/files/169863/BMC-Remedy-ITSM-Suite-9.1.10-20.02-HTML-Injection.html

 

Keywords

NVD

 

CVE-2022-26088

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures