Skip to main content

https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities

 

In this latest advisory it's mentioned that there are two specific XSS issues, and two different CVE assignments. That's all well and good, even if there is a ton of lacking pertinent information.

 

The problem I'm having is that this CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38339) was assigned to this specific advisory but there's zero mention of it. Does anyone know specifically why 2022-38339 was assigned?

Hi @euhsz​ ,

 

This vulnerability was first discovered in FME Server 2020 and was captured by CVE-2020-22790 and CVE-2020-22789. At that time our team implemented sanitization checks to resolve these vulnerabilities.

 

However, penetration tests against FME Server 2021 & 2022 found a new XSS vector that needed to be accounted for. The CVE # for these latest findings (CVE-2022-38339) was only released yesterday, and the article has now been updated to include this.

 

Please let me know if you have any other questions.

 


Reply