← back
CVE-2022-39197

CVE-2022-39197

CVSS 6.1 MEDIUMEPSS 46.4%● KEVCWE-79
In short

Cobalt Strike teamserver versions up to 4.7 have an XSS vulnerability that allows attackers to inject harmful HTML code by modifying the username field in a payload. This could enable attackers to execute malicious scripts on the server if they can access and modify payloads.

Technical detail

An XSS vulnerability exists in the payload inspection functionality where the username field is not properly sanitized before rendering in the teamserver interface. An attacker with access to inspect or create payloads can inject malicious HTML/JavaScript by crafting a malformed username field, leading to code execution in the server context.

Summary generated and translated by AI from the official description.
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/a
public PoCs found15
githubgithub.com/its-arun/CVE-2022-39197385githubgithub.com/burpheart/CVE-2022-39197-patch317githubgithub.com/burpheart/cve-2022-3919773githubgithub.com/xzajyjs/CVE-2022-39197-POC46githubgithub.com/xiao-zhu-zhu/pig_CS4.437githubgithub.com/lovechoudoufu/about_cobaltstrike4.5_cdf18githubgithub.com/yqcs/CSPOC17githubgithub.com/TheCryingGame/CVE-2022-39197-RCE13githubgithub.com/hluwa/cobaltstrike_swing_xss2rce7githubgithub.com/4nth0ny1130/CVE-2022-39197-fix_patch7githubgithub.com/safe3s/CVE-2022-391973githubgithub.com/adeljck/CVE-2022-391972githubgithub.com/Romanc9/Gui-poc-test2githubgithub.com/purple-WL/Cobaltstrike-RCE-CVE-2022-391971githubgithub.com/zeoday/cobaltstrike4.5_cdf-10
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-39197https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/https://www.cobaltstrike.com/blog/tag/release/