CVE-2022-23544
- Source
- https://cve.org/CVERecord?id=CVE-2022-23544
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23544.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-23544
- Aliases
-
- GHSA-vrv6-cg45-rmjj
- Published
- 2022-12-27T23:57:42.208Z
- Modified
- 2026-04-11T22:13:40.002366Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Server-Side Request Forgery in Metersphere leads to Cross-Site Scripting
- Details
-
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in
IssueProxyResourceService::getMdImageByUrlallows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79", "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23544.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23544.json
- https://github.com/metersphere/metersphere/security/advisories/GHSA-vrv6-cg45-rmjj
- https://nvd.nist.gov/vuln/detail/CVE-2022-23544
- https://github.com/metersphere/metersphere/commit/d0f95b50737c941b29d507a4cc3545f2dc6ab121
Affected packages
Git / github.com/metersphere/metersphere
Affected ranges
- Type
- GIT
- Repo
- https://github.com/metersphere/metersphere
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures_modified
"2026-04-11T22:13:40Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23544.json"
vanir_signatures
[
{
"signature_version": "v1",
"digest": {
"length": 523.0,
"function_hash": "77110813163076223269964780688231298405"
},
"target": {
"function": "setModule",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiDefinitionService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-02612adb",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"74597424048713370625982061955848967346",
"80400195144060427157536157625941316421",
"278622059026872862423949847973671196730",
"207952611243737198472671079911154459746",
"233242308441286068455009446401530137776",
"134052033360985293444525097200119615911",
"184909783338548346545477627066241699369",
"137044233178490142685876826653310007100"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiDefinitionService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-0dcfd244",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 527.0,
"function_hash": "98269606176672445667308120396951368141"
},
"target": {
"function": "setModule",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiDefinitionImportUtil.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-0e3400a1",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"278272468182809943751333322377069275211",
"71951828196873899677438052542062045222",
"109854239411965260484724541630281256069",
"188044748739389772539548576830603601632",
"285117938107047641169984029204748101350",
"68106147602694076981046808918931154905",
"286022130004298243619121116320605765985",
"321004169980479186743522093082299493071",
"128526766095259019247329231260784935721",
"51807684610725627000622707640022222682",
"171477103814628376872054511891482354837",
"155648858392908921231963377364750132972",
"285367111953035841530880719011431995504",
"312770132383488658777900224255791150077",
"297530262053536731836653544130919081230",
"296760156087575533856935637162120814484",
"207959224194094800927404467344540554956",
"285235313566469073362857561046448328359",
"188598314509144915819602622670650829711",
"111861678087947991637470044719506802735",
"31654687221518050321666463510277839379",
"277274012059332355248683914027770328412",
"117784581313419710675834262524787955640",
"14237687698053701333385236007462657583",
"136239285941366799835269877115450612615",
"237999526066584084813245701537429215239",
"275931143919445627371129738382229836771",
"318187694863020497912169431223102176486"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/listener/ProjectCreatedListener.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-12832e60",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 380.0,
"function_hash": "287715581143733191504860747391176947800"
},
"target": {
"function": "initModulePathAndId",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiDefinitionService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-31f23bd6",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 711.0,
"function_hash": "286418042677208434713815213295066598338"
},
"target": {
"function": "getDefaultNode",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-491f4156",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"160349206914177042447156744963406420480",
"147731899244851609429641297445128380930",
"83520201094614421543572100521372894336",
"49306493526114162771332189343336842241",
"292790224753109177223202949631377374273",
"80400195144060427157536157625941316421",
"278622059026872862423949847973671196730",
"207952611243737198472671079911154459746"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiDefinitionImportUtil.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-54f6c8cd",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 972.0,
"function_hash": "60039552873452331971343380745113908295"
},
"target": {
"function": "initProjectDefaultNode",
"file": "api-test/backend/src/main/java/io/metersphere/listener/ProjectCreatedListener.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-80aa9554",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 665.0,
"function_hash": "271947535934166749995371920115019080428"
},
"target": {
"function": "getDefaultNode",
"file": "api-test/backend/src/main/java/io/metersphere/service/scenario/ApiScenarioModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-8ff330db",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 795.0,
"function_hash": "225385307528387296242130851522297046422"
},
"target": {
"function": "dealNoModuleData",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-aaba8054",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"222402245280061330549680870607294530648",
"289905560871697662223757333859920415779",
"14697526473666000140589549997944726492",
"73574124535547208894988364970296253304",
"130256283396663707654054987661602520904",
"283572282235852078276460843037083440814",
"11787278805150716069723747626187018089",
"162455559552731330176622156363568235560",
"22334077816143116663024594343412594434",
"162409620187044018576377379503905216661",
"1904111412676151990019924987917519629",
"84419609645501210644937049552870091627",
"63296024205187108156770491452396890423",
"44492560274996084871354966357247984570",
"133687684314275171149227784140768899922",
"206694450888054013572414858682923712916",
"88865677176790709623725683808409630349",
"213277545811320506350251463241188094543",
"76721161450330510765858970780009557280",
"255600682972385627679119381564779050303",
"33480585626503338337804887948539695835",
"208483972291520012362829766014268808919",
"320565492165136201373036846535823752023",
"30560426698047264364963978333526377504",
"328288338623221814023423111591575337089",
"49456992866032981313676056898895697448",
"112443548835750928086002410831212975247",
"146379125709788091207893920993824078723",
"338680659165998798152565070391246697463",
"19332488788603264423893229343962058960",
"87019283793657214396701480466943451094",
"111038702318403948577527526321905413768",
"181551219314061894997174876275640849421",
"152956198677936677111463997527807624204",
"131396123333700819024460749752766213990",
"256633187406756402541362931432963364337",
"44191306562617299947037894428948444167",
"232291103753518685912873093130090706978",
"147628775333940412816651555575556289697",
"254284674686714701547950944239443087315",
"89750096744968656616023281010179320550",
"133832090419468890161169384692281759125",
"32501426815323623391475178770318058182",
"115845754318846903185965075583507396906",
"65414875540611463333232018403977619800",
"107252165025512687200143143596923464134",
"17042532732903691147791953338021772940",
"259897803813904807490497777652547918945",
"157437110658841877599176896649188723259",
"241105582635798524795650021092889281440",
"121479058264151672128525139161153095309",
"89750096744968656616023281010179320550",
"337160560467578645371214691278507315493",
"137445605693246550866675101508666130184",
"191799228766914010097852586339967055858",
"297511574642409794879342500495757207989",
"143704291393499768911068873538795330801",
"66923118750981902695604767647874258640",
"174305686370370409679882866282061221249",
"150128791857864762550534135399874981835",
"269824057648858177940089312835984819129",
"3381565200042349207611069717622562816",
"142265392778320648391344527611290586503",
"149109118628706427135807011014240297570",
"269824057648858177940089312835984819129",
"3381565200042349207611069717622562816",
"285148124486106241898975564675612134952",
"68218744864252736535147448789814623622",
"259320049084666124223471547544191929224",
"125286532665786734105881151303911369831",
"319722149849100146494219771675391600998",
"270428413605264327252290726825264111257",
"171501788649617725180327382162670827138",
"235987852783806009928765153318943342996",
"101032147783327701835657975289322369493",
"232553452740850048356812062587252073069",
"243726132121131647514840703027916761567",
"93588731297456292418906019284691873701",
"183817461140099373508121398513184303650",
"328982402551109193508074573056072144396"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-b4d94bab",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 1416.0,
"function_hash": "327090266812510986042514661424777104586"
},
"target": {
"function": "setModule",
"file": "api-test/backend/src/main/java/io/metersphere/service/scenario/ApiScenarioModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-b633de0e",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 358.0,
"function_hash": "130441342339627305960364211417201069251"
},
"target": {
"function": "replenishScenarioModuleIdPath",
"file": "api-test/backend/src/main/java/io/metersphere/service/scenario/ApiScenarioService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-baa9585c",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121091239688263335219630949546794071736",
"163107326363096523125664167948664905988",
"197327421144043305959840517951555602998",
"123280177621905834499572829627684326787"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/service/scenario/ApiScenarioService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-cf84b383",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 325.0,
"function_hash": "139422468988274053594253252339311135088"
},
"target": {
"function": "getDefaultNodeUnCreateNew",
"file": "api-test/backend/src/main/java/io/metersphere/service/definition/ApiModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Function",
"id": "CVE-2022-23544-efac217e",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"29157381437871380938878930372372325541",
"181303917191981290187068398184840396308",
"281764158105859630175977404387493073011",
"304285694422565054913608007266982689885",
"278730375576495053258462166750322686463",
"36759592528653042853637481198353335556",
"115175280774467255361303673002061491529",
"252953681829500709626842993287806127487",
"121120130622466068829265828949506869148",
"221522663221509936711841130292622737076",
"1273695540759509653905855891763572833",
"269932115789218713762933126026896629876",
"79165981814158609230338484195989604558",
"311575270029738126941768558071735731970",
"223261684746928011210437901490929508550",
"74990744622745911569453630610629580546",
"138757364690304626285434878973442139176",
"201936417802517596632722503221868353309",
"210426139174828880467897380254928789612",
"173530249456698254868992558462139500732",
"39643933930835277707516807712449459741"
]
},
"target": {
"file": "api-test/backend/src/main/java/io/metersphere/service/scenario/ApiScenarioModuleService.java"
},
"source": "https://github.com/metersphere/metersphere/commit/1e7e6908c5f2a30981e99bf6e6ecdb41079fc39c",
"signature_type": "Line",
"id": "CVE-2022-23544-f6b1b83a",
"deprecated": false
}
]