What is the current status of CVE-2022-35739 and Paessler PRTG?
What do I need to know about CVE-2022-35739?
Modified on 2025-06-10 16:41:28 +0200
Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
CVE-2022-35739
With version PRTG 23.1.83.1742, PRTG now validates the value of a device icon to avoid the risk of modifying it to possibly enter arbitrary content into the style tags when loading the Cascading Style Sheets (CSS) for the relevant page. We recommend that you install the update as soon as possible via the Auto-Update feature of PRTG.
Summary
Details
Researchers from Raxis published details for CVE-2022-35739. After executing our own investigation, we can confirm that PRTG is affected by CVE-2022-35739. Our conclusion aligns with Raxis’ suggesting that the severity of this vulnerability is low because it is difficult to exploit, and its impact is limited.
Early reports by the Federal Office for Information Security (BSI) evaluated this vulnerability in an automatic way due to the lack of information resulting in a wrong severity calculation (High instead of Low). We have already contacted the BSI so that they adjust their CVSS scoring to depict the actual severity.
For details about the issue, see CVE 2022-35739 PRTG Network Monitor CSS Injection — Raxis and NVD - CVE-2022-35739 (nist.gov).
We will update this article as soon as new information is available.
Oct, 2022 - Permalink