Remote Code Execution in Cobalt Strike UI via HTML Injection

Remote Code Execution in Cobalt Strike UI via HTML Injection

CVE-2022-42948 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

Learn more about our Web Application Penetration Testing UK.