CVE-2022-1231 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-1231 Interim 1 6 2025-02-16T03:30:02Z current 2022-04-19T14:02:10Z 2025-02-16T03:30:02Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-1231 XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed plantuml-1.2022.4-1.1 plantuml-javadoc-1.2022.4-1.1 plantuml-1.2022.4-1.1 as a component of openSUSE Tumbleweed plantuml-javadoc-1.2022.4-1.1 as a component of openSUSE Tumbleweed XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running). CVE-2022-1231 openSUSE Tumbleweed:plantuml-1.2022.4-1.1 openSUSE Tumbleweed:plantuml-javadoc-1.2022.4-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N