===================================================================== CERT-Renater Note d'Information No. 2021/VULN095 ____________________________________________________________________ DATE : 24/02/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): iOS running VMware Workspace ONE Boxer versions prior to 22.02. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0006.html _____________________________________________________________________ Moderate Advisory ID: VMSA-2022-0006 CVSSv3 Range: 6.6 Issue Date: 2022-02-23 Updated On: 2022-02-23 (Initial Advisory) CVE(s): CVE-2022-22944 Synopsis: VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944) 1. Impacted Products VMware Workspace ONE Boxer 2. Introduction A stored cross-site scripting (XSS) vulnerability affecting VMware Workspace ONE Boxer was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3a. VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944) Description VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6. Known Attack Vectors Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window. Resolution To remediate CVE-2022-22944 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Eugene Lim for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Workspace ONE Boxer Any iOS CVE-2022-22944 6.6 Moderate 22.02 None None Workspace ONE Boxer Any Android CVE-2022-22944 N/A N/A Unaffected N/A N/A 4. References Workspace ONE Boxer for iOS https://docs.vmware.com/en/Workspace-ONE-Boxer/services/rn/vmware-workspace-one-boxer-for-ios-release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22944 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L 5. Change Log 2022-02-23: VMSA-2022-0006 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================