CVE-2022-39197
CVE-2022-39197
Vexday Risk Score
75High priority
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 6.1EPSS 46.4%KEV simPoC públicaNuclei —Metasploit —Patch —
Lifecycle
21 Sep 2022Public PoC
22 Sep 2022Published on NVD
30 Mar 2023Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Cobalt Strike teamserver versions up to 4.7 have an XSS vulnerability that allows attackers to inject harmful HTML code by modifying the username field in a payload. This could enable attackers to execute malicious scripts on the server if they can access and modify payloads.
Technical detail
An XSS vulnerability exists in the payload inspection functionality where the username field is not properly sanitized before rendering in the teamserver interface. An attacker with access to inspect or create payloads can inject malicious HTML/JavaScript by crafting a malformed username field, leading to code execution in the server context.
Summary generated and translated by AI from the official description.
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/apublic PoCs found — 15
githubgithub.com/its-arun/CVE-2022-39197★ 385githubgithub.com/burpheart/CVE-2022-39197-patch★ 317githubgithub.com/burpheart/cve-2022-39197★ 73githubgithub.com/xzajyjs/CVE-2022-39197-POC★ 46githubgithub.com/xiao-zhu-zhu/pig_CS4.4★ 37githubgithub.com/lovechoudoufu/about_cobaltstrike4.5_cdf★ 18githubgithub.com/yqcs/CSPOC★ 17githubgithub.com/TheCryingGame/CVE-2022-39197-RCE★ 13githubgithub.com/hluwa/cobaltstrike_swing_xss2rce★ 7githubgithub.com/4nth0ny1130/CVE-2022-39197-fix_patch★ 7githubgithub.com/safe3s/CVE-2022-39197★ 3githubgithub.com/adeljck/CVE-2022-39197★ 2githubgithub.com/Romanc9/Gui-poc-test★ 2githubgithub.com/purple-WL/Cobaltstrike-RCE-CVE-2022-39197★ 1githubgithub.com/zeoday/cobaltstrike4.5_cdf-1★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →