Server-Side JavaScript Injection in Appsmith
CVE-2022-39824

8.9HIGH

Key Information:

Vendor: Appsmith
Status: Appsmith
Vendor: CVE Published:; 5 September 2022

What is CVE-2022-39824?

A vulnerability in Appsmith allows remote attackers to execute arbitrary JavaScript code via the currentItem property of the list widget. This can lead to unauthorized actions, denial of service (DoS) attacks, and potential information leakage. Users of Appsmith version 1.7.14 are advised to implement immediate security measures to mitigate these risks. For detailed information, refer to the release notes and proof of concept available on GitHub.

References

https://github.com/FCncdn/Appsmith-Js-Injection-POC

x_refsource_MISC

https://github.com/appsmithorg/appsmith/releases

x_refsource_MISC

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2022
Vulnerability Reserved
Sep 5, 2022

CVE-2022-39824 Data

JSON