Researchers disclosed three vulnerabilities affecting Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG), including a post-authentication reflected XSS in PVE’s API Inspector, a CRLF injection flaw in HTTP error handling, and a post-authentication SSRF plus arbitrary file-read issue shared across both products. The XSS bug, tracked as CVE-2022-31358, could let an authenticated attacker run JavaScript in a logged-in administrator’s browser and potentially abuse exposed web UI functions to execute actions on the host. The CRLF injection issue could be exploited in Chromium-based browsers to inject headers and trigger a client-side denial of service by forcing oversized cookie headers that lock users out of the web interface.
The most serious finding was a bug chain in PVE and PMG that allowed low-privileged authenticated users to abuse SSRF and arbitrary file read; in PMG, attackers could also access backup archives containing the authentication private key, forge valid tickets, and escalate privileges to root@pam. MITRE assigned CVE-2022-35507 and CVE-2022-35508 to the latter flaws. Proxmox addressed the XSS in pve-http-server 4.1-2 and patched the CRLF injection and SSRF-related issues in pve-http-server 4.1-3.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
STAR Labs published technical details on three vulnerabilities affecting Proxmox VE and Proxmox Mail Gateway, including reflected XSS, CRLF injection, and an SSRF plus arbitrary file-read chain. The disclosure explained how low-privileged authenticated users could abuse the issues, including a PMG privilege-escalation path via readable backup files.
MITRE assigned CVE-2022-31358 to the reflected XSS issue and later assigned CVE-2022-35507 and CVE-2022-35508 to the remaining CRLF injection and SSRF/file-read vulnerabilities. These identifiers formalized tracking for the three disclosed bugs.
Proxmox released pve-http-server version 4.1-3 to address a CRLF injection flaw in HTTP error handling and a post-authentication SSRF plus arbitrary file-read bug affecting Proxmox VE and Proxmox Mail Gateway. In PMG, the file-read issue could expose backup archives containing authentication keys, enabling privilege escalation to root@pam.
Proxmox fixed a post-authentication reflected XSS issue in the Proxmox VE API Inspector in pve-http-server version 4.1-2. The flaw could allow JavaScript execution in an authenticated administrator's browser and potentially lead to host-level actions through the web UI.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.