{"id":"CVE-2022-41947","summary":"Cross-site Scripting with user-uploaded files in dhis2-core ","details":"DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.","aliases":["GHSA-763w-rm78-6xcg"],"modified":"2026-04-10T04:51:36.124627Z","published":"2022-12-08T22:14:14.759Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41947.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41947.json"},{"type":"ADVISORY","url":"https://github.com/dhis2/dhis2-core/security/advisories/GHSA-763w-rm78-6xcg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41947"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dhis2/dhis2-core","events":[{"introduced":"769bded6742261c68549654e8beacdcff2674c2a"},{"fixed":"0ed6717c35e8456c717818b5d28369741700c69c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41947.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}