CVE-2022-2921
CVE-2022-2921 is a high-severity vulnerability in Notrinos Notrinoserp with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-359.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 1% (62nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-359
- Affected product: Notrinos Notrinoserp
- Published:
- Last modified:
Description
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.
Frequently asked questions
- What is CVE-2022-2921?
- Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.
- How severe is CVE-2022-2921?
- CVE-2022-2921 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-2921 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (62nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-2921?
- CVE-2022-2921 affects Notrinos Notrinoserp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-2921?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-2921 published?
- CVE-2022-2921 was published on 2022-08-21 and last updated on 2026-06-17.
References
- https://github.com/notrinos/notrinoserp/commit/1b9903f4deea3289872793e60d730c63ecbf7b45
- https://huntr.dev/bounties/51b32a1c-946b-4390-a212-b6c4b6e4115c
Affected products (1)
- cpe:2.3:a:notrinos:notrinoserp:*:*:*:*:*:*:*:*
More vulnerabilities in Notrinos Notrinoserp
- CVE-2022-2927 — Critical (CVSS 9.8): Weak Password Requirements in GitHub repository notrinos/notrinoserp prior to 0.7.
- CVE-2023-24788 — High (CVSS 8.8): NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at…
- CVE-2022-2871 — Medium (CVSS 5.4): Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notrinoserp prior to 0.7.
- CVE-2022-2965 — Medium (CVSS 4.3): Improper Restriction of Rendered UI Layers or Frames in GitHub repository notrinos/notrinoserp prior to 0.7.
All CVEs affecting Notrinos Notrinoserp →
Other CWE-359 vulnerabilities
- CVE-2022-0482 — Critical (CVSS 9.1): Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments…
- CVE-2025-53625 — High (CVSS 8.7): The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with…
- CVE-2025-13008 — High (CVSS 8.6): An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and…
- CVE-2023-36052 — High (CVSS 8.6): Azure CLI REST Command Information Disclosure Vulnerability
- CVE-2024-26192 — High (CVSS 8.2): Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
- CVE-2025-66172 — High (CVSS 8.1): The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated…