Vulnerabilities > CVE-2022-26111 - Expression Language Injection vulnerability in Canon Irisnext 9.8.28

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

canon

CWE-917

NVD

Published: 2022-04-25

Updated: 2023-08-08

Summary

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.

Vulnerable Configurations

Part	Description	Count
Application	Canon Canon Irisnext - Canon Irisnext 9.8.28	2

Common Weakness Enumeration (CWE)

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

References

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf
https://varsnext.iriscorporate.com/