CVE-2022-48429

MEDIUM

JetBrains Hub < 2022.1.15583 - Reflected Cross-Site Scripting in Dashboards

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-48429. PoCs published by echo-devim.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in YouTrack (version <= 2022.3.65373) where a low-privileged user can inject malicious JavaScript via the 'directive' parameter in dashboard widgets. The exploit allows for admin account takeover by stealing auth tokens and modifying user details.

Description

In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible

Exploits (1)

nomisec WORKING POC
by echo-devim · poc
https://github.com/echo-devim/CVE-2022-48429_poc

This PoC demonstrates a stored XSS vulnerability in YouTrack (version <= 2022.3.65373) where a low-privileged user can inject malicious JavaScript via the 'directive' parameter in dashboard widgets. The exploit allows for admin account takeover by stealing auth tokens and modifying user details.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: YouTrack <= 2022.3.65373
Auth required
Prerequisites: Low-privileged YouTrack account · Ability to create/share dashboards · Victim interaction (admin must view dashboard)
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 4.6
EPSS 0.0060
EPSS Percentile 44.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
jetbrains/hub < 2022.1.15583
Published Mar 27, 2023
Tracked Since Feb 18, 2026