CVE-2022-22978
Cross-Site Scripting (XSS) vulnerability in spring-security-core (Maven)

Cross-Site Scripting (XSS) Proof of concept

What is CVE-2022-22978 About?

Versions of `bootstrap` prior to 3.4.1 (for 3.x) and 4.3.1 (for 4.x) are vulnerable to Cross-Site Scripting (XSS) via the `data-template` attribute of tooltip and popover plugins. This flaw allows attackers to execute arbitrary JavaScript due to lack of input sanitization. Exploitation is relatively easy given user control over this attribute.

Affected Software

  • org.springframework.security:spring-security-core
    • >5.5.0, <5.5.7
    • >5.6.0, <5.6.4
    • <5.4.11
  • org.springframework.security:spring-security-web
    • >5.5.0, <5.5.7
    • >5.6.0, <5.6.4
    • <5.4.11

Technical Details

This Cross-Site Scripting (XSS) vulnerability affects Bootstrap's tooltip and popover plugins. Specifically, the data-template attribute, which allows developers to provide custom HTML templates for these UI components, does not adequately sanitize or encode user-supplied input. An attacker can inject malicious JavaScript code directly into this attribute. When the tooltip or popover is initialized and rendered with this crafted data-template value, the embedded JavaScript is executed in the context of the user's browser without proper escaping. This bypassing of content security mechanisms allows an attacker to perform arbitrary client-side actions, such as stealing session cookies, defacing the page, or redirecting users.

What is the Impact of CVE-2022-22978?

Successful exploitation may allow attackers to execute arbitrary scripts in the context of the victim's browser, leading to session hijacking, defacement of web pages, or other client-side attacks.

What is the Exploitability of CVE-2022-22978?

Exploitation of this XSS vulnerability is straightforward and requires low to moderate complexity. There are no specific authentication or privilege requirements, as an attacker only needs the ability to influence the content of the data-template attribute for a tooltip or popover. This is typically a remote attack vector, where a victim interacts with a page containing the malicious bootstrap component. Special conditions include the use of affected Bootstrap versions and the rendering of tooltips or popovers with untrusted input in the data-template attribute. The risk factor increases significantly in applications that allow user-generated content to be displayed within Bootstrap's tooltip/popover components without strict sanitization.

What are the Known Public Exploits?

PoC Author Link Commentary
DeEpinGh0st Link CVE-2022-22978 Spring-Security bypass Demo
ducluongtran9121 Link PoC of CVE-2022-22978 vulnerability in Spring Security framework
aeifkz Link CVE-2022-22978 POC Project

What are the Available Fixes for CVE-2022-22978?

Available Upgrade Options

  • org.springframework.security:spring-security-web
    • <5.4.11 → Upgrade to 5.4.11
  • org.springframework.security:spring-security-web
    • >5.5.0, <5.5.7 → Upgrade to 5.5.7
  • org.springframework.security:spring-security-web
    • >5.6.0, <5.6.4 → Upgrade to 5.6.4
  • org.springframework.security:spring-security-core
    • <5.4.11 → Upgrade to 5.4.11
  • org.springframework.security:spring-security-core
    • >5.5.0, <5.5.7 → Upgrade to 5.5.7
  • org.springframework.security:spring-security-core
    • >5.6.0, <5.6.4 → Upgrade to 5.6.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-22978?

Similar Vulnerabilities: CVE-2016-10735 , CVE-2018-14041 , CVE-2017-7610 , CVE-2017-7611 , CVE-2017-7612

All Rights reserved 2025
Privacy Policy