High severityNVD Advisory· Published Apr 5, 2022· Updated Aug 2, 2024

Cross-site Scripting (XSS) - DOM in tastyigniter/tastyigniter

CVE-2022-0602

Description

DOM-based XSS vulnerability in TastyIgniter prior to 3.3.0 allows attackers to inject arbitrary JavaScript via the ScheduleEditor's scheduleCode parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DOM-based XSS vulnerability in TastyIgniter prior to 3.3.0 allows attackers to inject arbitrary JavaScript via the ScheduleEditor's scheduleCode parameter.

Vulnerability

A DOM-based cross-site scripting (XSS) vulnerability exists in the ScheduleEditor form widget of TastyIgniter versions prior to 3.3.0. The bug occurs when the onLoadRecord method uses the scheduleCode parameter directly from the HTTP POST request in a sprintf call with lang() without proper sanitization. Specifically, the line $formTitle = sprintf(lang($this->formTitle), lang('admin::lang.text_'.$scheduleCode)); allowed an attacker to control the $scheduleCode value, which could include malicious JavaScript payloads. The fix in commit [1] changes the code to use the pre-defined $scheduleItem->name instead, preventing the injection.

Exploitation

An attacker needs to send a crafted POST request to the onLoadRecord endpoint with a malicious recordId (scheduleCode) parameter. The attacker does not require authentication because the vulnerable endpoint is accessible to unauthenticated users if the application's routing allows it. The attacker can inject a payload such as "> which, when processed by the sprintf function, executes in the victim's browser context. The attack requires no user interaction beyond the victim visiting the page that triggers the vulnerable widget.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, defacement of the admin interface, redirection to malicious sites, or other actions that compromise the confidentiality and integrity of the application. The impact is limited to the scope of the browser's same-origin policy, but the attacker can potentially perform actions on behalf of the authenticated user if the victim is logged in.

Mitigation

The vulnerability is fixed in TastyIgniter version 3.3.0, released with the commit referenced in [1]. Users should upgrade to version 3.3.0 or later. No workarounds are documented in the available references. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2]. The huntr.dev report [4] confirms the severity and fix.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tastyigniter/tastyigniterPackagist	< 3.3.0	3.3.0

Affected products

ghsa-coords
pkg:composer/tastyigniter/tastyigniter
Range: < 3.3.0
TastyIgniter/TastyIgnitercpe-rescue
Range: unspecified

Patches

992d4ce64448

Minor fixes

https://github.com/tastyigniter/tastyigniterSam PoyigiMar 10, 2022via ghsa

commit

4 files changed · +19 −11

app/admin/formwidgets/ScheduleEditor.php+12 −5 modified

@@ -3,11 +3,13 @@
 namespace Admin\FormWidgets;
 
 use Admin\Classes\BaseFormWidget;
+use Admin\Models\Locations_model;
 use Admin\Models\Working_hours_model;
 use Admin\Traits\ValidatesForm;
 use Admin\Widgets\Form;
 use Igniter\Flame\Exception\ApplicationException;
 use Igniter\Flame\Location\Models\AbstractLocation;
+use Igniter\Flame\Location\OrderTypes;
 use Illuminate\Support\Facades\DB;
 
 class ScheduleEditor extends BaseFormWidget
@@ -72,7 +74,7 @@ public function onLoadRecord()
         $scheduleCode = post('recordId');
         $scheduleItem = $this->getSchedule($scheduleCode);
 
-        $formTitle = sprintf(lang($this->formTitle), lang('admin::lang.text_'.$scheduleCode));
+        $formTitle = sprintf(lang($this->formTitle), lang($scheduleItem->name));
 
         return $this->makePartial('recordeditor/form', [
             'formRecordId' => $scheduleCode,
@@ -125,10 +127,15 @@ protected function listSchedules()
         if ($this->schedulesCache)
             return $this->schedulesCache;
 
-        $schedules = [];
-        foreach ($this->model->availableWorkingTypes() as $scheduleCode) {
-            $schedules[$scheduleCode] = $this->model->createScheduleItem($scheduleCode);
-        }
+        $schedules = collect(OrderTypes::instance()->listOrderTypes())
+            ->prepend(['name' => 'admin::lang.text_opening'], Locations_model::OPENING)
+            ->mapWithKeys(function ($definition, $code) {
+                $scheduleItem = $this->model->createScheduleItem($code);
+                $scheduleItem->name = array_get($definition, 'name');
+
+                return [$code => $scheduleItem];
+            })
+            ->all();
 
         return $this->schedulesCache = $schedules;
     }

app/admin/formwidgets/scheduleeditor/schedules.blade.php+5 −5 modified

@@ -1,16 +1,16 @@
-<div class="row">
-    @foreach ($schedules as $schedule)
-        <div class="col-lg-4 py-3">
+<div class="d-flex flex-nowrap overflow-auto">
+    @foreach ($schedules as $scheduleCode => $schedule)
+        <div class="col-lg-3 {{ $loop->first ? 'py-2 pr-2 pl-0' : 'p-2' }}">
             <div
                 id="{{ $this->getId('item-'.$loop->iteration) }}"
                 class="card bg-light shadow-sm mb-0"
                 data-editor-control="load-schedule"
-                data-schedule-code="{{ $schedule->name }}"
+                data-schedule-code="{{ $scheduleCode }}"
                 role="button"
             >
                 <div class="card-body">
                     <div class="flex-fill">
-                        <h5 class="card-title">{{ lang('admin::lang.text_'.$schedule->name).' '.lang('admin::lang.locations.text_schedule') }}</h5>
+                        <h5 class="card-title">{{ lang($schedule->name).' '.lang('admin::lang.locations.text_schedule') }}</h5>
                         <p class="card-text">{{ lang('admin::lang.locations.text_'.$schedule->type) }}</p>
                     </div>

app/main/formwidgets/components/component.blade.php+1 −1 modified

@@ -3,7 +3,7 @@ class="components-item"
     data-control="component"
     data-component-alias="{{ $component->alias }}"
 >
-    <div class="btn btn-light text-left p-3 component{{ $component->fatalError ? ' border-danger' : '' }}">
+    <div class="btn btn-light text-left p-3 w-100 component{{ $component->fatalError ? ' border-danger' : '' }}">
         <div
             class="components-item-info"
             data-component-control="load"

app/system/models/config/mail_templates_model.php+1 −0 modified

@@ -62,6 +62,7 @@
         'label' => 'lang:admin::lang.column_date_added',
         'type' => 'timetense',
         'searchable' => TRUE,
+        'invisible' => TRUE,
     ],
     'template_id' => [
         'label' => 'lang:admin::lang.column_id',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cjw5-f2x5-r4q5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0602ghsaADVISORY
github.com/tastyigniter/tastyigniter/commit/992d4ce6444805c3132e3635a01b6fd222063554ghsax_refsource_MISCWEB
huntr.dev/bounties/615f1788-d474-4580-b0ef-5edd50274010ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000