Skip to main content
  • EN

https://community.safe.com/s/article/FME-Server-Stored-Cross-Site-Scripting-XSS-Vulnerabilities

 

In this latest advisory it's mentioned that there are two specific XSS issues, and two different CVE assignments. That's all well and good, even if there is a ton of lacking pertinent information.

 

The problem I'm having is that this CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38339) was assigned to this specific advisory but there's zero mention of it. Does anyone know specifically why 2022-38339 was assigned?

Hi @euhsz​ ,

 

This vulnerability was first discovered in FME Server 2020 and was captured by CVE-2020-22790 and CVE-2020-22789. At that time our team implemented sanitization checks to resolve these vulnerabilities.

 

However, penetration tests against FME Server 2021 & 2022 found a new XSS vector that needed to be accounted for. The CVE # for these latest findings (CVE-2022-38339) was only released yesterday, and the article has now been updated to include this.

 

Please let me know if you have any other questions.

 

Reply


Community Stats

30,146
Posts
114,427
Replies
37,787
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.