VDB
CVE-2022-28108
CVE-2022-28108
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
EPSS 22.37% · 95.9th percentile
Risk Scores
CVSS v2.0
9.300000190734863
EPSS Score
22.37%
95.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| selenium | selenium_grid | 4.0.0, 4.0.0, 4.0.0 |
| Maven | org.seleniumhq.selenium:selenium-grid | 0 |
| Maven | org.seleniumhq.selenium:selenium-server | 0 |
| n/a | n/a | n/a |
Timeline
- Apr 19, 2022 EPSS Score
- Apr 19, 2022 CVE Published
- Mar 7, 2023 EPSS Score
- Jan 7, 2025 EPSS Score
- Jan 7, 2025 PoC Published
- Jan 8, 2025 PoC Published
- Jan 8, 2025 PoC Published
- Jan 10, 2025 EPSS Score
- Jan 16, 2025 EPSS Score
- Feb 6, 2025 PoC Published
- Feb 12, 2025 EPSS Score
- Feb 23, 2025 PoC Published
References
- https://www.openwall.com/lists/oss-security/2022/02/07/3 url
- https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/ url
- https://www.selenium.dev/downloads/ url
- https://nvd.nist.gov/vuln/detail/CVE-2022-28108 advisory
- https://github.com/SeleniumHQ/selenium package
- https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce url
- https://www.openwall.com/lists/oss-security/2022/04/14/2 url
- https://www.selenium.dev/downloads url