CVE-2022-31358: n/a in n/a
A reflected cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under path /api2/html/.
AI Analysis
Technical Summary
CVE-2022-31358 is a critical reflected cross-site scripting (XSS) vulnerability affecting Proxmox Virtual Environment (VE) versions prior to v7.2-3. The vulnerability arises from improper input validation in the web interface, specifically via non-existent endpoints under the path /api2/html/. An attacker can craft a malicious URL that, when visited by an authenticated user with at least low privileges, causes the execution of arbitrary JavaScript or HTML code within the victim's browser context. This reflected XSS flaw leverages the fact that the application reflects unsanitized user input back in the HTTP response, enabling script injection. The vulnerability has a CVSS 3.1 base score of 9.0, indicating critical severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. This means the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and impacts confidentiality, integrity, and availability with a scope change. Although no known exploits are reported in the wild, the potential for exploitation is significant given the criticality and the nature of the Proxmox VE platform, which is widely used for virtualization and container management in enterprise and hosting environments. Successful exploitation could allow attackers to hijack user sessions, steal credentials, perform unauthorized actions, or pivot within the network by leveraging the victim's authenticated session. The vulnerability specifically targets the web management interface, which is a critical component for administrative control over virtualized infrastructure.
Potential Impact
For European organizations, the impact of CVE-2022-31358 can be severe due to the widespread adoption of Proxmox VE in data centers, cloud service providers, and enterprises managing virtualized environments. Exploitation could lead to unauthorized access to administrative functions, data leakage, and potential disruption of virtualized services. This could affect confidentiality by exposing sensitive configuration and credential information, integrity by enabling unauthorized changes to virtual machines or containers, and availability by allowing attackers to disrupt or disable virtualized workloads. Given the criticality of virtualization infrastructure in sectors such as finance, telecommunications, healthcare, and government, exploitation could result in operational downtime, regulatory non-compliance, and reputational damage. The requirement for low privileges and user interaction means that phishing or social engineering could be used to trick legitimate users into triggering the attack, increasing the risk in environments with less stringent user awareness or multi-factor authentication controls.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize upgrading Proxmox VE installations to version 7.2-3 or later, where the issue is patched. In the absence of immediate patching, organizations should implement strict network segmentation to limit access to the Proxmox web interface only to trusted administrative networks and VPNs. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /api2/html/ endpoints can reduce exposure. Additionally, enforcing multi-factor authentication (MFA) for all Proxmox VE users can mitigate the risk of session hijacking. Organizations should also conduct user training to recognize phishing attempts that could lead to exploitation. Regular monitoring of web server logs for anomalous requests containing suspicious payloads targeting the vulnerable endpoints is recommended. Finally, consider disabling or restricting access to unused API endpoints or web interface features to reduce the attack surface.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-31358: n/a in n/a
Description
A reflected cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under path /api2/html/.
AI-Powered Analysis
Technical Analysis
CVE-2022-31358 is a critical reflected cross-site scripting (XSS) vulnerability affecting Proxmox Virtual Environment (VE) versions prior to v7.2-3. The vulnerability arises from improper input validation in the web interface, specifically via non-existent endpoints under the path /api2/html/. An attacker can craft a malicious URL that, when visited by an authenticated user with at least low privileges, causes the execution of arbitrary JavaScript or HTML code within the victim's browser context. This reflected XSS flaw leverages the fact that the application reflects unsanitized user input back in the HTTP response, enabling script injection. The vulnerability has a CVSS 3.1 base score of 9.0, indicating critical severity, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. This means the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and impacts confidentiality, integrity, and availability with a scope change. Although no known exploits are reported in the wild, the potential for exploitation is significant given the criticality and the nature of the Proxmox VE platform, which is widely used for virtualization and container management in enterprise and hosting environments. Successful exploitation could allow attackers to hijack user sessions, steal credentials, perform unauthorized actions, or pivot within the network by leveraging the victim's authenticated session. The vulnerability specifically targets the web management interface, which is a critical component for administrative control over virtualized infrastructure.
Potential Impact
For European organizations, the impact of CVE-2022-31358 can be severe due to the widespread adoption of Proxmox VE in data centers, cloud service providers, and enterprises managing virtualized environments. Exploitation could lead to unauthorized access to administrative functions, data leakage, and potential disruption of virtualized services. This could affect confidentiality by exposing sensitive configuration and credential information, integrity by enabling unauthorized changes to virtual machines or containers, and availability by allowing attackers to disrupt or disable virtualized workloads. Given the criticality of virtualization infrastructure in sectors such as finance, telecommunications, healthcare, and government, exploitation could result in operational downtime, regulatory non-compliance, and reputational damage. The requirement for low privileges and user interaction means that phishing or social engineering could be used to trick legitimate users into triggering the attack, increasing the risk in environments with less stringent user awareness or multi-factor authentication controls.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should prioritize upgrading Proxmox VE installations to version 7.2-3 or later, where the issue is patched. In the absence of immediate patching, organizations should implement strict network segmentation to limit access to the Proxmox web interface only to trusted administrative networks and VPNs. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /api2/html/ endpoints can reduce exposure. Additionally, enforcing multi-factor authentication (MFA) for all Proxmox VE users can mitigate the risk of session hijacking. Organizations should also conduct user training to recognize phishing attempts that could lead to exploitation. Regular monitoring of web server logs for anomalous requests containing suspicious payloads targeting the vulnerable endpoints is recommended. Finally, consider disabling or restricting access to unused API endpoints or web interface features to reduce the attack surface.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-05-23T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6c1a
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 3:36:55 PM
Last updated: 8/15/2025, 4:29:19 AM
Views: 16
Related Threats
CVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumCVE-2025-8091: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ashanjay EventON – Events Calendar
MediumCVE-2025-8080: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alobaidi Alobaidi Captcha
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.