CVE-2022-24785 reported in Penetration scan.

PAM is using moment.js 2.17.1 

PAM Versions: 4.1.0 - 4.2.x

PAM is not vulnerable to this CVE.

CVE-2022-24785

The vulnerability occurs if the user is able to provide the locale to the moment APIs. The fix is to "sanitize" or don't allow the user to switch the locale before calling moment() API. 

All PAM Javascript calls to the moment() API are for date calculations or formatting dates, such as convert to/from PAM server time and user preferences.

PAM uses a predefined set of time zone regions and date formats and DO NOT provide an user option to specify the locale used by the moment() API

PAM UI does not change and/or switch the locale used by moment() (e.g. moment.locale('ja')  OR  moment.utc(time, format, locale), PAM only uses moment API for time calculations. 

Therefore PAM is not vulnerable to this vulnerability.