CVE-2022-24785 - Privilege escalation vulnerability

Severity: Low2022-10-13

Security Advisories


Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

The Oxygen products incorporate Moment.js as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1 and olderHigh Oxygen Feedback 2.1 build 2022071516
Oxygen Content Fusion v5.0 and olderHigh Oxygen Content Fusion 5.0 build 2022092005





Severity: High

CVSS Score: 7.5

The Moment.js third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24785 vulnerability description. However, Oxygen products does not set any locale/lang for Moment.js library. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 Moment.js library was updated to v3.2.2 which fixes this vulnerability.

List of Security Advisories