CVE-2022-24785 - Privilege escalation vulnerability

Severity: Low2022-10-13

Security Advisories

Abstract

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1 and olderHigh Oxygen Feedback 2.1 build 2022071516
Oxygen Content Fusion v5.0 and olderHigh Oxygen Content Fusion 5.0 build 2022092005

Mitigation

None

Detail

CVE-2022-24785

Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24785 vulnerability description. However, Oxygen products does not set any locale/lang for Moment.js library. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 Moment.js library was updated to v3.2.2 which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor