CVE-2022-23173
CVE-2022-23173 is a medium-severity vulnerability in Priority-software Priority with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-639.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v2: 6.5
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-639
- Affected product: Priority-software Priority
- Published:
- Last modified:
Description
this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed.
Frequently asked questions
- What is CVE-2022-23173?
- this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed.
- How severe is CVE-2022-23173?
- CVE-2022-23173 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2022-23173 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-23173?
- CVE-2022-23173 affects Priority-software Priority. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-23173?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-23173 published?
- CVE-2022-23173 was published on 2022-07-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:priority-software:priority:*:*:*:*:*:*:*:*
More vulnerabilities in Priority-software Priority
- CVE-2023-23460 — Critical (CVSS 9.1): Priority Web version 19.1.0.68, parameter manipulation on an unspecified end-point may allow authentication bypass.
- CVE-2023-23459 — Critical (CVSS 9.1): Priority Windows may allow Command Execution via SQL Injection using an unspecified method.
- CVE-2024-41697 — Medium (CVSS 6.1): Priority - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CVE-2022-23172 — Medium (CVSS 5.5): An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system…
- CVE-2024-41699 — Medium (CVSS 4.4): Priority – CWE-552: Files or Directories Accessible to External Parties
- CVE-2024-41698 — Medium (CVSS 4.3): Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
All CVEs affecting Priority-software Priority →
Other CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities
- CVE-2025-40805 — Critical (CVSS 10.0): Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an…
- CVE-2024-45032 — Critical (CVSS 10.0): A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge…
- CVE-2026-34037 — Critical (CVSS 9.9): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to…
- CVE-2026-52782 — Critical (CVSS 9.9): OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through…
- CVE-2026-45552 — Critical (CVSS 9.9): Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior,…
- CVE-2026-29200 — Critical (CVSS 9.9): A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and…
Browse all CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities →