{"id":"CVE-2022-4560","summary":"Joget wflow-core UniversalTheme.java getInternalJsCssLib cross site scripting","details":"A vulnerability was found in Joget up to 7.0.31. It has been rated as problematic. This issue affects the function getInternalJsCssLib of the file wflow-core/src/main/java/org/joget/plugin/enterprise/UniversalTheme.java of the component wflow-core. The manipulation of the argument key leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 7.0.32 is able to address this issue. The name of the patch is ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215963.","modified":"2026-05-19T00:02:32.462160Z","published":"2022-12-16T00:00:00Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/4xxx/CVE-2022-4560.json","cna_assigner":"VulDB"},"references":[{"type":"WEB","url":"https://github.com/jogetworkflow/jw-community/releases/tag/7.0.32"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/4xxx/CVE-2022-4560.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-4560"},{"type":"ADVISORY","url":"https://vuldb.com/?id.215963"},{"type":"FIX","url":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jogetworkflow/jw-community","events":[{"introduced":"0"},{"fixed":"ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b"}]}],"versions":["7.0.31","7.0.30","7.0.29","7.0.27","7.0.26","7.0.24","7.0.23","7.0.22","7.0.21","7.0.20","7.0.19","7.0.18","7.0.17","7.0.16","7.0.15","7.0.14","7.0.13","7.0.12","7.0.10","7.0.9","7.0.8","7.0.7","7.0.6","7.0.5","7.0.4","7.0.3","7.0.2","7.0.1","7.0.0","7.0-RC","7.0-BETA3","7.0-BETA2","7.0-BETA","7.0-PREVIEW2","6.0.11","6.0.10","6.0.9","6.0.8","6.0.2","6.0.1","6.0-RC2","6.0-RC","6.0-BETA4","6.0-BETA3","6.0-BETA2","5.0.6","5.0.5","5.0.4","5.0.2","5.0.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4560.json","vanir_signatures":[{"deprecated":false,"target":{"file":"wflow-core/src/main/java/org/joget/plugin/enterprise/UniversalTheme.java"},"signature_type":"Line","id":"CVE-2022-4560-0db03f9e","digest":{"threshold":0.9,"line_hashes":["158635663726217983472901010059599591465","304700672186645028220229901294202004508","154225028638014943428219448264973323617","115452135249741613689382177106090704388","39920110933305863683856645553080535248","248728621705195035522041880141370105100","144018260183446957013167055879652056461","276604849124800141126873294808055252838","105422958201307214203121041514184413671","211355907841970654497823871580622300312","257541133023658505109363042222046124055","283076257109992392593952257963602532121","278261754573956339442564059383966425445","60368975390556120004597297637733737286","267332641852798794349677876471974286808","259900465866629065033095410673679493628"]},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"},{"deprecated":false,"target":{"file":"wflow-core/src/main/java/org/joget/apps/userview/service/UserviewService.java"},"signature_type":"Line","id":"CVE-2022-4560-2b7bceb7","digest":{"threshold":0.9,"line_hashes":["80711989357200073336713139324831275289","186976876015458969349990622683124900203","234235377152567471742801999263284965667","229473234728104393057885830741042335098"]},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"},{"deprecated":false,"target":{"file":"wflow-consoleweb/src/main/java/org/joget/apps/app/controller/UserviewWebController.java","function":"embedView"},"signature_type":"Function","id":"CVE-2022-4560-71693da7","digest":{"length":2377,"function_hash":"87862307454326551740070970476114945383"},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"},{"deprecated":false,"target":{"file":"wflow-core/src/main/java/org/joget/plugin/enterprise/UniversalTheme.java","function":"getInternalJsCssLib"},"signature_type":"Function","id":"CVE-2022-4560-dc3f0125","digest":{"length":2292,"function_hash":"108961901159538210445274541726203846380"},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"},{"deprecated":false,"target":{"file":"wflow-core/src/main/java/org/joget/apps/userview/service/UserviewService.java","function":"createUserview"},"signature_type":"Function","id":"CVE-2022-4560-dcac8222","digest":{"length":7482,"function_hash":"201396749292714093805324735882364024323"},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"},{"deprecated":false,"target":{"file":"wflow-consoleweb/src/main/java/org/joget/apps/app/controller/UserviewWebController.java"},"signature_type":"Line","id":"CVE-2022-4560-f7a5f22c","digest":{"threshold":0.9,"line_hashes":["15130841656643092143819814384924911714","95921734899410058779716263774603793439","87762279807701402084105201363760883686","166663989317632409443893254486705736458"]},"source":"https://github.com/jogetworkflow/jw-community/commit/ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b","signature_version":"v1"}],"vanir_signatures_modified":"2026-05-19T00:02:32Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}]}