CVE-2022-2421 - Remote Code Execution (RCE)
Severity: Critical2023-01-06
Abstract
Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
The Oxygen products incorporate Socket.io as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v5.0.1 and older | Critical | Oxygen Content Fusion 5.0.2 build 2022121305 |